1 |
alonbl 14/12/31 18:27:16 |
2 |
|
3 |
Added: gnupg-2.0.26-misc-cve.patch |
4 |
gnupg-2.1.1-misc-cve.patch |
5 |
Log: |
6 |
Fix misc CVEs, bug#534110 |
7 |
|
8 |
(Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key BF20DC51) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: gnupg-2.0.26-misc-cve.patch |
17 |
=================================================================== |
18 |
From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001 |
19 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
20 |
Date: Fri, 19 Dec 2014 18:53:34 -0500 |
21 |
Subject: [PATCH] sm: Avoid double-free on iconv failure |
22 |
|
23 |
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid |
24 |
double-free of pwbuf. |
25 |
|
26 |
-- |
27 |
|
28 |
Observed by Joshua Rogers <honey@××××××××.info>, who proposed a |
29 |
slightly different fix. |
30 |
|
31 |
Debian-Bug-Id: 773472 |
32 |
|
33 |
Added fix at a second place - wk. |
34 |
--- |
35 |
sm/minip12.c | 2 ++ |
36 |
1 file changed, 2 insertions(+) |
37 |
|
38 |
diff --git a/agent/minip12.c b/agent/minip12.c |
39 |
index 01b91b7..ca4d248 100644 |
40 |
--- a/agent/minip12.c |
41 |
+++ b/agent/minip12.c |
42 |
@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
43 |
" requested charset '%s': %s\n", |
44 |
charset, strerror (errno)); |
45 |
gcry_free (pwbuf); |
46 |
+ pwbuf = NULL; |
47 |
goto failure; |
48 |
} |
49 |
|
50 |
@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
51 |
" requested charset '%s': %s\n", |
52 |
charset, strerror (errno)); |
53 |
gcry_free (pwbuf); |
54 |
+ pwbuf = NULL; |
55 |
jnlib_iconv_close (cd); |
56 |
goto failure; |
57 |
} |
58 |
-- |
59 |
1.7.10.4 |
60 |
|
61 |
From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001 |
62 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
63 |
Date: Fri, 19 Dec 2014 18:07:55 -0500 |
64 |
Subject: [PATCH] scd: Avoid double-free on error condition in scd |
65 |
|
66 |
* scd/command.c (cmd_readkey): avoid double-free of cert |
67 |
|
68 |
-- |
69 |
|
70 |
When ksba_cert_new() fails, cert will be double-freed. |
71 |
|
72 |
Debian-Bug-Id: 773471 |
73 |
|
74 |
Original patch changed by wk to do the free only at leave. |
75 |
--- |
76 |
scd/command.c | 6 ++---- |
77 |
1 file changed, 2 insertions(+), 4 deletions(-) |
78 |
|
79 |
diff --git a/scd/command.c b/scd/command.c |
80 |
index dd4191f..1cc580a 100644 |
81 |
--- a/scd/command.c |
82 |
+++ b/scd/command.c |
83 |
@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line) |
84 |
|
85 |
rc = ksba_cert_new (&kc); |
86 |
if (rc) |
87 |
- { |
88 |
- xfree (cert); |
89 |
- goto leave; |
90 |
- } |
91 |
+ goto leave; |
92 |
+ |
93 |
rc = ksba_cert_init_from_mem (kc, cert, ncert); |
94 |
if (rc) |
95 |
{ |
96 |
-- |
97 |
1.7.10.4 |
98 |
|
99 |
From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001 |
100 |
From: Werner Koch <wk@×××××.org> |
101 |
Date: Mon, 22 Dec 2014 12:16:46 +0100 |
102 |
Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail |
103 |
|
104 |
* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL. |
105 |
* sm/gpgsm.c (parse_keyserver_line): Ditto. |
106 |
-- |
107 |
|
108 |
Reported-by: Joshua Rogers <git@××××××××.info> |
109 |
|
110 |
"If something inside the ldapserver_parse_one function failed, |
111 |
'server' would be freed, then returned, leading to a |
112 |
use-after-free. This code is likely copied from sm/gpgsm.c, which |
113 |
was also susceptible to this bug." |
114 |
|
115 |
Signed-off-by: Werner Koch <wk@×××××.org> |
116 |
--- |
117 |
dirmngr/ldapserver.c | 1 + |
118 |
sm/gpgsm.c | 1 + |
119 |
2 files changed, 2 insertions(+) |
120 |
|
121 |
diff --git a/sm/gpgsm.c b/sm/gpgsm.c |
122 |
index 3398d17..72bceb4 100644 |
123 |
--- a/sm/gpgsm.c |
124 |
+++ b/sm/gpgsm.c |
125 |
@@ -862,6 +862,7 @@ parse_keyserver_line (char *line, |
126 |
{ |
127 |
log_info (_("%s:%u: skipping this line\n"), filename, lineno); |
128 |
keyserver_list_free (server); |
129 |
+ server = NULL; |
130 |
} |
131 |
|
132 |
return server; |
133 |
-- |
134 |
1.7.10.4 |
135 |
|
136 |
|
137 |
|
138 |
|
139 |
1.1 app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch |
140 |
|
141 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch?rev=1.1&view=markup |
142 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch?rev=1.1&content-type=text/plain |
143 |
|
144 |
Index: gnupg-2.1.1-misc-cve.patch |
145 |
=================================================================== |
146 |
From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001 |
147 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
148 |
Date: Fri, 19 Dec 2014 18:53:34 -0500 |
149 |
Subject: [PATCH] sm: Avoid double-free on iconv failure |
150 |
|
151 |
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid |
152 |
double-free of pwbuf. |
153 |
|
154 |
-- |
155 |
|
156 |
Observed by Joshua Rogers <honey@××××××××.info>, who proposed a |
157 |
slightly different fix. |
158 |
|
159 |
Debian-Bug-Id: 773472 |
160 |
|
161 |
Added fix at a second place - wk. |
162 |
--- |
163 |
sm/minip12.c | 2 ++ |
164 |
1 file changed, 2 insertions(+) |
165 |
|
166 |
diff --git a/sm/minip12.c b/sm/minip12.c |
167 |
index 01b91b7..ca4d248 100644 |
168 |
--- a/sm/minip12.c |
169 |
+++ b/sm/minip12.c |
170 |
@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
171 |
" requested charset '%s': %s\n", |
172 |
charset, strerror (errno)); |
173 |
gcry_free (pwbuf); |
174 |
+ pwbuf = NULL; |
175 |
goto failure; |
176 |
} |
177 |
|
178 |
@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
179 |
" requested charset '%s': %s\n", |
180 |
charset, strerror (errno)); |
181 |
gcry_free (pwbuf); |
182 |
+ pwbuf = NULL; |
183 |
jnlib_iconv_close (cd); |
184 |
goto failure; |
185 |
} |
186 |
-- |
187 |
1.7.10.4 |
188 |
|
189 |
From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001 |
190 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
191 |
Date: Fri, 19 Dec 2014 18:07:55 -0500 |
192 |
Subject: [PATCH] scd: Avoid double-free on error condition in scd |
193 |
|
194 |
* scd/command.c (cmd_readkey): avoid double-free of cert |
195 |
|
196 |
-- |
197 |
|
198 |
When ksba_cert_new() fails, cert will be double-freed. |
199 |
|
200 |
Debian-Bug-Id: 773471 |
201 |
|
202 |
Original patch changed by wk to do the free only at leave. |
203 |
--- |
204 |
scd/command.c | 6 ++---- |
205 |
1 file changed, 2 insertions(+), 4 deletions(-) |
206 |
|
207 |
diff --git a/scd/command.c b/scd/command.c |
208 |
index dd4191f..1cc580a 100644 |
209 |
--- a/scd/command.c |
210 |
+++ b/scd/command.c |
211 |
@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line) |
212 |
|
213 |
rc = ksba_cert_new (&kc); |
214 |
if (rc) |
215 |
- { |
216 |
- xfree (cert); |
217 |
- goto leave; |
218 |
- } |
219 |
+ goto leave; |
220 |
+ |
221 |
rc = ksba_cert_init_from_mem (kc, cert, ncert); |
222 |
if (rc) |
223 |
{ |
224 |
-- |
225 |
1.7.10.4 |
226 |
|
227 |
From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001 |
228 |
From: Werner Koch <wk@×××××.org> |
229 |
Date: Mon, 22 Dec 2014 12:16:46 +0100 |
230 |
Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail |
231 |
|
232 |
* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL. |
233 |
* sm/gpgsm.c (parse_keyserver_line): Ditto. |
234 |
-- |
235 |
|
236 |
Reported-by: Joshua Rogers <git@××××××××.info> |
237 |
|
238 |
"If something inside the ldapserver_parse_one function failed, |
239 |
'server' would be freed, then returned, leading to a |
240 |
use-after-free. This code is likely copied from sm/gpgsm.c, which |
241 |
was also susceptible to this bug." |
242 |
|
243 |
Signed-off-by: Werner Koch <wk@×××××.org> |
244 |
--- |
245 |
dirmngr/ldapserver.c | 1 + |
246 |
sm/gpgsm.c | 1 + |
247 |
2 files changed, 2 insertions(+) |
248 |
|
249 |
diff --git a/dirmngr/ldapserver.c b/dirmngr/ldapserver.c |
250 |
index 20a574c..5808c5b 100644 |
251 |
--- a/dirmngr/ldapserver.c |
252 |
+++ b/dirmngr/ldapserver.c |
253 |
@@ -125,6 +125,7 @@ ldapserver_parse_one (char *line, |
254 |
{ |
255 |
log_info (_("%s:%u: skipping this line\n"), filename, lineno); |
256 |
ldapserver_list_free (server); |
257 |
+ server = NULL; |
258 |
} |
259 |
|
260 |
return server; |
261 |
diff --git a/sm/gpgsm.c b/sm/gpgsm.c |
262 |
index 3398d17..72bceb4 100644 |
263 |
--- a/sm/gpgsm.c |
264 |
+++ b/sm/gpgsm.c |
265 |
@@ -862,6 +862,7 @@ parse_keyserver_line (char *line, |
266 |
{ |
267 |
log_info (_("%s:%u: skipping this line\n"), filename, lineno); |
268 |
keyserver_list_free (server); |
269 |
+ server = NULL; |
270 |
} |
271 |
|
272 |
return server; |
273 |
-- |
274 |
1.7.10.4 |