From a66d2e0a3979f259f06b1bd3d9d59c5f14fa1b66 Mon Sep 17 00:00:00 2001 From: wiz Date: Mon, 3 Jul 2006 21:15:14 +0000 Subject: Update to 1.4.4: Noteworthy changes in version 1.4.4 (2006-06-25) ------------------------------------------------ * User IDs are now capped at 2048 byte. This avoids a memory allocation attack (see CVE-2006-3082). [was already fixed in pkgsrc] * Added support for the SHA-224 hash. Like the SHA-384 hash, it is mainly useful when DSS (the US Digital Signature Standard) compatibility is desired. * Added support for the latest update to DSA keys and signatures. This allows for larger keys than 1024 bits and hashes other than SHA-1 and RIPEMD/160. Note that not all OpenPGP implementations can handle these new keys and signatures yet. See "--enable-dsa2" in the manual for more information. --- security/gnupg/Makefile | 5 ++--- security/gnupg/distinfo | 9 ++++----- security/gnupg/patches/patch-ba | 27 --------------------------- 3 files changed, 6 insertions(+), 35 deletions(-) delete mode 100644 security/gnupg/patches/patch-ba (limited to 'security') diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile index af067ab267a..4008490f7fd 100644 --- a/security/gnupg/Makefile +++ b/security/gnupg/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.86 2006/06/24 14:20:29 salo Exp $ +# $NetBSD: Makefile,v 1.87 2006/07/03 21:15:14 wiz Exp $ -DISTNAME= gnupg-1.4.3 -PKGREVISION= 1 +DISTNAME= gnupg-1.4.4 CATEGORIES= security MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ \ ftp://ftp.planetmirror.com/pub/gnupg/ \ diff --git a/security/gnupg/distinfo b/security/gnupg/distinfo index 64e716abeb9..2eb14ba75dc 100644 --- a/security/gnupg/distinfo +++ b/security/gnupg/distinfo @@ -1,12 +1,11 @@ -$NetBSD: distinfo,v 1.40 2006/06/24 14:20:29 salo Exp $ +$NetBSD: distinfo,v 1.41 2006/07/03 21:15:14 wiz Exp $ -SHA1 (gnupg-1.4.3.tar.bz2) = 9e96b36e4f4d1e8bc5028c99fac674482cbdb370 -RMD160 (gnupg-1.4.3.tar.bz2) = f6d328785f41b74f97d25305c6fe95ad45bb70a5 -Size (gnupg-1.4.3.tar.bz2) = 3114088 bytes +SHA1 (gnupg-1.4.4.tar.bz2) = 3414d67f22973576f31e354f44859bafbccb7eee +RMD160 (gnupg-1.4.4.tar.bz2) = b3807b3cf4fc577bf071261eff787c481bd4e0ca +Size (gnupg-1.4.4.tar.bz2) = 3047120 bytes SHA1 (idea.c.gz) = 82fded4ec31b97b3b2dd22741880b67cfee40f84 RMD160 (idea.c.gz) = e35be5a031d10d52341ac5f029d28f811edd908d Size (idea.c.gz) = 5216 bytes SHA1 (patch-aa) = 91d55ca22b58e8a1f3c17a2fd0ad888d4c85c6cf SHA1 (patch-ab) = 29a7d0b736322eb1ecf0925a2419b513f323000e SHA1 (patch-ak) = 89a6a7552104f4d5b97a98889da88fca68c54f31 -SHA1 (patch-ba) = d32db008ec704dacf382da4f43ad6b3f0de88dcb diff --git a/security/gnupg/patches/patch-ba b/security/gnupg/patches/patch-ba deleted file mode 100644 index 2027b44108c..00000000000 --- a/security/gnupg/patches/patch-ba +++ /dev/null @@ -1,27 +0,0 @@ -$NetBSD: patch-ba,v 1.1 2006/06/24 14:20:29 salo Exp $ - -Security fix for CVE-2006-3082, from GnuPG CVS repository. - ---- g10/parse-packet.c.orig 2005-12-06 14:22:19.000000000 +0100 -+++ g10/parse-packet.c 2006-06-24 16:09:34.000000000 +0200 -@@ -1972,6 +1972,20 @@ - { - byte *p; - -+ /* Cap the size of a user ID at 2k: a value absurdly large enough -+ that there is no sane user ID string (which is printable text -+ as of RFC2440bis) that won't fit in it, but yet small enough to -+ avoid allocation problems. A large pktlen may not be -+ allocatable, and a very large pktlen could actually cause our -+ allocation to wrap around in xmalloc to a small number. */ -+ -+ if(pktlen>2048) -+ { -+ log_error("packet(%d) too large\n", pkttype); -+ iobuf_skip_rest(inp, pktlen, 0); -+ return G10ERR_INVALID_PACKET; -+ } -+ - packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen); - packet->pkt.user_id->len = pktlen; - packet->pkt.user_id->ref=1; -- cgit v1.2.3