Update netpgpverify (and libnetpgpverify) to 20160614

+ handle signatures created by gpg with "--no-emit-version", don't assume
there will always be a version string.

+ add a test for above

Fixes security PR/51240.

Thanks to xnox@ubuntu.com for reporting the error

5 files changed, 32 insertions, 9 deletions

diff --git a/security/netpgpverify/files/Makefile.bsd b/security/netpgpverify/files/Makefile.bsd
index 495133cc7cc..5c0f0589baf 100644
--- a/security/netpgpverify/files/Makefile.bsd
+++ b/security/netpgpverify/files/Makefile.bsd
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.bsd,v 1.8 2015/02/05 00:21:57 agc Exp $
+# $NetBSD: Makefile.bsd,v 1.9 2016/06/14 18:00:59 agc Exp $
 
 PROG=netpgpverify
 
@@ -43,3 +43,5 @@ tst:
 	rm -f 1keytest.gpg
 	@echo "testing signing with a subkey"
 	./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
+	@echo "testing signatures with no version"
+	./${PROG} -k pubring.gpg noversion.asc
diff --git a/security/netpgpverify/files/Makefile.in b/security/netpgpverify/files/Makefile.in
index 11055f597ae..b3c430930f1 100644
--- a/security/netpgpverify/files/Makefile.in
+++ b/security/netpgpverify/files/Makefile.in
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.in,v 1.4 2015/08/17 11:37:55 jperkin Exp $
+# $NetBSD: Makefile.in,v 1.5 2016/06/14 18:00:59 agc Exp $
 
 PROG=netpgpverify
 
@@ -43,6 +43,8 @@ tst:
 	rm -f 1keytest.gpg
 	@echo "testing signing with a subkey"
 	./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
+	@echo "testing signatures with no version"
+	./${PROG} -k pubring.gpg noversion.asc
 
 clean:
 	rm -rf *.core ${OBJS} ${PROG}
diff --git a/security/netpgpverify/files/libverify.c b/security/netpgpverify/files/libverify.c
index e749c45f921..81de971ab4e 100644
--- a/security/netpgpverify/files/libverify.c
+++ b/security/netpgpverify/files/libverify.c
@@ -2022,12 +2022,17 @@ read_ascii_armor(pgpv_cursor_t *cursor, pgpv_mem_t *mem, const char *filename)
 	}
 	litdata.u.litdata.len = litdata.s.size = (size_t)(p - datastart);
 	p += strlen(SIGSTART);
-	if ((p = find_bin_string(p, mem->size, "\n\n",  2)) == NULL) {
-		snprintf(cursor->why, sizeof(cursor->why),
-			"malformed armed signature at %zu", (size_t)(p - mem->mem));
-		return 0;
+	/* Work out whther there's a version line */
+	if (memcmp(p, "Version:", 8) == 0) {
+		if ((p = find_bin_string(p, mem->size, "\n\n",  2)) == NULL) {
+			snprintf(cursor->why, sizeof(cursor->why),
+				"malformed armed signature at %zu", (size_t)(p - mem->mem));
+			return 0;
+		}
+		p += 2;
+	} else {
+		p += 1;
 	}
-	p += 2;
 	sigend = find_bin_string(p, mem->size, SIGEND, strlen(SIGEND));
 	binsigsize = b64decode((char *)p, (size_t)(sigend - p), binsig, sizeof(binsig));
 
diff --git a/security/netpgpverify/files/noversion.asc b/security/netpgpverify/files/noversion.asc
new file mode 100644
index 00000000000..d719aef811b
--- /dev/null
+++ b/security/netpgpverify/files/noversion.asc
@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bar
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAEBAgAGBQJXYEJcAAoJEBto3PzAWWgjk5cH/03A4/a+ywsnzZMncQ7H7rtu
+QiIWwyiJo28Xf5z3fL5WG6VKNJdPpx0TIthcxu0O1YgF6lvqqQbnNpfNbD+1h88+
+JCcqJfyVk38vsFPxdFTIOWjbEtHs9yyjUVk5tJQrxtTaSJbGtQIMHQXXfWAyKCn4
+0Zl+E2iWb6tXxxMaAkrCOipjC9knuTJJbG6oVZpujp7jOt+2bOWY+89+FhoGJ5tv
+XiOvqIUUSW5Iua+wBOmhb/iuNFUVrO8rS/7BpMLQmxbnLxWtwwSWIcyyg6BwiIvm
+8K5NmD3WKN97tPA1HYjk76SlLj254OVLDmTZua7ljqasl5PR9W+aUFIByDgQrGE=
+=90+m
+-----END PGP SIGNATURE-----
diff --git a/security/netpgpverify/files/verify.h b/security/netpgpverify/files/verify.h
index 29a3d5814d5..83fd14ed592 100644
--- a/security/netpgpverify/files/verify.h
+++ b/security/netpgpverify/files/verify.h
@@ -23,9 +23,9 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #ifndef NETPGP_VERIFY_H_
-#define NETPGP_VERIFY_H_	20160313
+#define NETPGP_VERIFY_H_	20160614
 
-#define NETPGPVERIFY_VERSION	"netpgpverify portable 20160313"
+#define NETPGPVERIFY_VERSION	"netpgpverify portable 20160614"
 
 #include <sys/types.h>