| 1 |
alonbl 14/12/31 18:27:16 |
| 2 |
|
| 3 |
Added: gnupg-2.0.26-misc-cve.patch |
| 4 |
gnupg-2.1.1-misc-cve.patch |
| 5 |
Log: |
| 6 |
Fix misc CVEs, bug#534110 |
| 7 |
|
| 8 |
(Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key BF20DC51) |
| 9 |
|
| 10 |
Revision Changes Path |
| 11 |
1.1 app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch |
| 12 |
|
| 13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch?rev=1.1&view=markup |
| 14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch?rev=1.1&content-type=text/plain |
| 15 |
|
| 16 |
Index: gnupg-2.0.26-misc-cve.patch |
| 17 |
=================================================================== |
| 18 |
From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001 |
| 19 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
| 20 |
Date: Fri, 19 Dec 2014 18:53:34 -0500 |
| 21 |
Subject: [PATCH] sm: Avoid double-free on iconv failure |
| 22 |
|
| 23 |
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid |
| 24 |
double-free of pwbuf. |
| 25 |
|
| 26 |
-- |
| 27 |
|
| 28 |
Observed by Joshua Rogers <honey@××××××××.info>, who proposed a |
| 29 |
slightly different fix. |
| 30 |
|
| 31 |
Debian-Bug-Id: 773472 |
| 32 |
|
| 33 |
Added fix at a second place - wk. |
| 34 |
--- |
| 35 |
sm/minip12.c | 2 ++ |
| 36 |
1 file changed, 2 insertions(+) |
| 37 |
|
| 38 |
diff --git a/agent/minip12.c b/agent/minip12.c |
| 39 |
index 01b91b7..ca4d248 100644 |
| 40 |
--- a/agent/minip12.c |
| 41 |
+++ b/agent/minip12.c |
| 42 |
@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
| 43 |
" requested charset '%s': %s\n", |
| 44 |
charset, strerror (errno)); |
| 45 |
gcry_free (pwbuf); |
| 46 |
+ pwbuf = NULL; |
| 47 |
goto failure; |
| 48 |
} |
| 49 |
|
| 50 |
@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
| 51 |
" requested charset '%s': %s\n", |
| 52 |
charset, strerror (errno)); |
| 53 |
gcry_free (pwbuf); |
| 54 |
+ pwbuf = NULL; |
| 55 |
jnlib_iconv_close (cd); |
| 56 |
goto failure; |
| 57 |
} |
| 58 |
-- |
| 59 |
1.7.10.4 |
| 60 |
|
| 61 |
From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001 |
| 62 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
| 63 |
Date: Fri, 19 Dec 2014 18:07:55 -0500 |
| 64 |
Subject: [PATCH] scd: Avoid double-free on error condition in scd |
| 65 |
|
| 66 |
* scd/command.c (cmd_readkey): avoid double-free of cert |
| 67 |
|
| 68 |
-- |
| 69 |
|
| 70 |
When ksba_cert_new() fails, cert will be double-freed. |
| 71 |
|
| 72 |
Debian-Bug-Id: 773471 |
| 73 |
|
| 74 |
Original patch changed by wk to do the free only at leave. |
| 75 |
--- |
| 76 |
scd/command.c | 6 ++---- |
| 77 |
1 file changed, 2 insertions(+), 4 deletions(-) |
| 78 |
|
| 79 |
diff --git a/scd/command.c b/scd/command.c |
| 80 |
index dd4191f..1cc580a 100644 |
| 81 |
--- a/scd/command.c |
| 82 |
+++ b/scd/command.c |
| 83 |
@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line) |
| 84 |
|
| 85 |
rc = ksba_cert_new (&kc); |
| 86 |
if (rc) |
| 87 |
- { |
| 88 |
- xfree (cert); |
| 89 |
- goto leave; |
| 90 |
- } |
| 91 |
+ goto leave; |
| 92 |
+ |
| 93 |
rc = ksba_cert_init_from_mem (kc, cert, ncert); |
| 94 |
if (rc) |
| 95 |
{ |
| 96 |
-- |
| 97 |
1.7.10.4 |
| 98 |
|
| 99 |
From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001 |
| 100 |
From: Werner Koch <wk@×××××.org> |
| 101 |
Date: Mon, 22 Dec 2014 12:16:46 +0100 |
| 102 |
Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail |
| 103 |
|
| 104 |
* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL. |
| 105 |
* sm/gpgsm.c (parse_keyserver_line): Ditto. |
| 106 |
-- |
| 107 |
|
| 108 |
Reported-by: Joshua Rogers <git@××××××××.info> |
| 109 |
|
| 110 |
"If something inside the ldapserver_parse_one function failed, |
| 111 |
'server' would be freed, then returned, leading to a |
| 112 |
use-after-free. This code is likely copied from sm/gpgsm.c, which |
| 113 |
was also susceptible to this bug." |
| 114 |
|
| 115 |
Signed-off-by: Werner Koch <wk@×××××.org> |
| 116 |
--- |
| 117 |
dirmngr/ldapserver.c | 1 + |
| 118 |
sm/gpgsm.c | 1 + |
| 119 |
2 files changed, 2 insertions(+) |
| 120 |
|
| 121 |
diff --git a/sm/gpgsm.c b/sm/gpgsm.c |
| 122 |
index 3398d17..72bceb4 100644 |
| 123 |
--- a/sm/gpgsm.c |
| 124 |
+++ b/sm/gpgsm.c |
| 125 |
@@ -862,6 +862,7 @@ parse_keyserver_line (char *line, |
| 126 |
{ |
| 127 |
log_info (_("%s:%u: skipping this line\n"), filename, lineno); |
| 128 |
keyserver_list_free (server); |
| 129 |
+ server = NULL; |
| 130 |
} |
| 131 |
|
| 132 |
return server; |
| 133 |
-- |
| 134 |
1.7.10.4 |
| 135 |
|
| 136 |
|
| 137 |
|
| 138 |
|
| 139 |
1.1 app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch |
| 140 |
|
| 141 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch?rev=1.1&view=markup |
| 142 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch?rev=1.1&content-type=text/plain |
| 143 |
|
| 144 |
Index: gnupg-2.1.1-misc-cve.patch |
| 145 |
=================================================================== |
| 146 |
From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001 |
| 147 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
| 148 |
Date: Fri, 19 Dec 2014 18:53:34 -0500 |
| 149 |
Subject: [PATCH] sm: Avoid double-free on iconv failure |
| 150 |
|
| 151 |
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid |
| 152 |
double-free of pwbuf. |
| 153 |
|
| 154 |
-- |
| 155 |
|
| 156 |
Observed by Joshua Rogers <honey@××××××××.info>, who proposed a |
| 157 |
slightly different fix. |
| 158 |
|
| 159 |
Debian-Bug-Id: 773472 |
| 160 |
|
| 161 |
Added fix at a second place - wk. |
| 162 |
--- |
| 163 |
sm/minip12.c | 2 ++ |
| 164 |
1 file changed, 2 insertions(+) |
| 165 |
|
| 166 |
diff --git a/sm/minip12.c b/sm/minip12.c |
| 167 |
index 01b91b7..ca4d248 100644 |
| 168 |
--- a/sm/minip12.c |
| 169 |
+++ b/sm/minip12.c |
| 170 |
@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
| 171 |
" requested charset '%s': %s\n", |
| 172 |
charset, strerror (errno)); |
| 173 |
gcry_free (pwbuf); |
| 174 |
+ pwbuf = NULL; |
| 175 |
goto failure; |
| 176 |
} |
| 177 |
|
| 178 |
@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, |
| 179 |
" requested charset '%s': %s\n", |
| 180 |
charset, strerror (errno)); |
| 181 |
gcry_free (pwbuf); |
| 182 |
+ pwbuf = NULL; |
| 183 |
jnlib_iconv_close (cd); |
| 184 |
goto failure; |
| 185 |
} |
| 186 |
-- |
| 187 |
1.7.10.4 |
| 188 |
|
| 189 |
From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001 |
| 190 |
From: Daniel Kahn Gillmor <dkg@×××××××××××××.net> |
| 191 |
Date: Fri, 19 Dec 2014 18:07:55 -0500 |
| 192 |
Subject: [PATCH] scd: Avoid double-free on error condition in scd |
| 193 |
|
| 194 |
* scd/command.c (cmd_readkey): avoid double-free of cert |
| 195 |
|
| 196 |
-- |
| 197 |
|
| 198 |
When ksba_cert_new() fails, cert will be double-freed. |
| 199 |
|
| 200 |
Debian-Bug-Id: 773471 |
| 201 |
|
| 202 |
Original patch changed by wk to do the free only at leave. |
| 203 |
--- |
| 204 |
scd/command.c | 6 ++---- |
| 205 |
1 file changed, 2 insertions(+), 4 deletions(-) |
| 206 |
|
| 207 |
diff --git a/scd/command.c b/scd/command.c |
| 208 |
index dd4191f..1cc580a 100644 |
| 209 |
--- a/scd/command.c |
| 210 |
+++ b/scd/command.c |
| 211 |
@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line) |
| 212 |
|
| 213 |
rc = ksba_cert_new (&kc); |
| 214 |
if (rc) |
| 215 |
- { |
| 216 |
- xfree (cert); |
| 217 |
- goto leave; |
| 218 |
- } |
| 219 |
+ goto leave; |
| 220 |
+ |
| 221 |
rc = ksba_cert_init_from_mem (kc, cert, ncert); |
| 222 |
if (rc) |
| 223 |
{ |
| 224 |
-- |
| 225 |
1.7.10.4 |
| 226 |
|
| 227 |
From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001 |
| 228 |
From: Werner Koch <wk@×××××.org> |
| 229 |
Date: Mon, 22 Dec 2014 12:16:46 +0100 |
| 230 |
Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail |
| 231 |
|
| 232 |
* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL. |
| 233 |
* sm/gpgsm.c (parse_keyserver_line): Ditto. |
| 234 |
-- |
| 235 |
|
| 236 |
Reported-by: Joshua Rogers <git@××××××××.info> |
| 237 |
|
| 238 |
"If something inside the ldapserver_parse_one function failed, |
| 239 |
'server' would be freed, then returned, leading to a |
| 240 |
use-after-free. This code is likely copied from sm/gpgsm.c, which |
| 241 |
was also susceptible to this bug." |
| 242 |
|
| 243 |
Signed-off-by: Werner Koch <wk@×××××.org> |
| 244 |
--- |
| 245 |
dirmngr/ldapserver.c | 1 + |
| 246 |
sm/gpgsm.c | 1 + |
| 247 |
2 files changed, 2 insertions(+) |
| 248 |
|
| 249 |
diff --git a/dirmngr/ldapserver.c b/dirmngr/ldapserver.c |
| 250 |
index 20a574c..5808c5b 100644 |
| 251 |
--- a/dirmngr/ldapserver.c |
| 252 |
+++ b/dirmngr/ldapserver.c |
| 253 |
@@ -125,6 +125,7 @@ ldapserver_parse_one (char *line, |
| 254 |
{ |
| 255 |
log_info (_("%s:%u: skipping this line\n"), filename, lineno); |
| 256 |
ldapserver_list_free (server); |
| 257 |
+ server = NULL; |
| 258 |
} |
| 259 |
|
| 260 |
return server; |
| 261 |
diff --git a/sm/gpgsm.c b/sm/gpgsm.c |
| 262 |
index 3398d17..72bceb4 100644 |
| 263 |
--- a/sm/gpgsm.c |
| 264 |
+++ b/sm/gpgsm.c |
| 265 |
@@ -862,6 +862,7 @@ parse_keyserver_line (char *line, |
| 266 |
{ |
| 267 |
log_info (_("%s:%u: skipping this line\n"), filename, lineno); |
| 268 |
keyserver_list_free (server); |
| 269 |
+ server = NULL; |
| 270 |
} |
| 271 |
|
| 272 |
return server; |
| 273 |
-- |
| 274 |
1.7.10.4 |
Archives