1 |
alonbl 13/10/04 22:24:41 |
2 |
|
3 |
Added: gnupg-2.0.21-CVE-2013-4351.patch |
4 |
Log: |
5 |
Fix CVE-2013-4351, bug#484836 |
6 |
|
7 |
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key BF20DC51) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: gnupg-2.0.21-CVE-2013-4351.patch |
16 |
=================================================================== |
17 |
From 4bde12206c5bf199dc6e12a74af8da4558ba41bf Mon Sep 17 00:00:00 2001 |
18 |
From: Werner Koch <wk@×××××.org> |
19 |
Date: Fri, 15 Mar 2013 15:46:03 +0100 |
20 |
Subject: [PATCH] gpg: Distinguish between missing and cleared key flags. |
21 |
|
22 |
* include/cipher.h (PUBKEY_USAGE_NONE): New. |
23 |
* g10/getkey.c (parse_key_usage): Set new flag. |
24 |
-- |
25 |
|
26 |
We do not want to use the default capabilities (derived from the |
27 |
algorithm) if any key flags are given in a signature. Thus if key |
28 |
flags are used in any way, the default key capabilities are never |
29 |
used. |
30 |
|
31 |
This allows to create a key with key flags set to all zero so it can't |
32 |
be used. This better reflects common sense. |
33 |
--- |
34 |
g10/getkey.c | 8 +++++++- |
35 |
include/cipher.h | 7 ++++++- |
36 |
2 files changed, 13 insertions(+), 2 deletions(-) |
37 |
|
38 |
diff --git a/g10/getkey.c b/g10/getkey.c |
39 |
index 9294273..8cc5601 100644 |
40 |
--- a/g10/getkey.c |
41 |
+++ b/g10/getkey.c |
42 |
@@ -1276,13 +1276,19 @@ parse_key_usage (PKT_signature * sig) |
43 |
|
44 |
if (flags) |
45 |
key_usage |= PUBKEY_USAGE_UNKNOWN; |
46 |
+ |
47 |
+ if (!key_usage) |
48 |
+ key_usage |= PUBKEY_USAGE_NONE; |
49 |
} |
50 |
+ else if (p) /* Key flags of length zero. */ |
51 |
+ key_usage |= PUBKEY_USAGE_NONE; |
52 |
|
53 |
/* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a |
54 |
capability that we do not handle. This serves to distinguish |
55 |
between a zero key usage which we handle as the default |
56 |
capabilities for that algorithm, and a usage that we do not |
57 |
- handle. */ |
58 |
+ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that |
59 |
+ key_flags have been given but they do not specify any usage. */ |
60 |
|
61 |
return key_usage; |
62 |
} |
63 |
diff --git a/include/cipher.h b/include/cipher.h |
64 |
index 191e197..557ab70 100644 |
65 |
--- a/include/cipher.h |
66 |
+++ b/include/cipher.h |
67 |
@@ -54,9 +54,14 @@ |
68 |
|
69 |
#define PUBKEY_USAGE_SIG GCRY_PK_USAGE_SIGN /* Good for signatures. */ |
70 |
#define PUBKEY_USAGE_ENC GCRY_PK_USAGE_ENCR /* Good for encryption. */ |
71 |
-#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */ |
72 |
+#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys.*/ |
73 |
#define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */ |
74 |
#define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */ |
75 |
+#define PUBKEY_USAGE_NONE 256 /* No usage given. */ |
76 |
+#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \ |
77 |
+ | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256 |
78 |
+# error Please choose another value for PUBKEY_USAGE_NONE |
79 |
+#endif |
80 |
|
81 |
#define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5 |
82 |
#define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1 |
83 |
-- |
84 |
1.7.2.5 |