pkg/47442: pkgsrc' security/gnupg2 package needs security update for CVE-2012-6085 [patch included]

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/47442: pkgsrc' security/gnupg2 package needs security update for CVE-2012-6085 [patch included]
From: Bug Hunting <bughunting%xs4all.nl@localhost>
Date: Mon, 14 Jan 2013 00:55:00 +0000 (UTC)

>Number:         47442
>Category:       pkg
>Synopsis:       pkgsrc' security/gnupg2 package needs security update for 
>CVE-2012-6085 [patch included]
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Jan 14 00:55:00 +0000 2013
>Originator:     Bug Hunting
>Release:        
>Description:

pkgsrc' security/gnupg2 package is vulnerable to CVE-2012-6085,
and thus needs updating.



>How-To-Repeat:

Note the following line in the pkg-vulnerabilities file (at least
present in r1.4970), for the security/gnupg package:

gnupg<1.4.13            multiple-vulnerabilities        
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085

(The (initial?) upstream 1.4.13 release announcement doesn't mention
the issue by the way; see, e.g.,
<http://lists.gnupg.org/pipermail/gnupg-announce/2012q4/000319.html>.
However, the line in pkg-vulnerabilities is correct: see below).

Open the URL from above, and see that CVE-2012-6085 is currently
in ``under review'' state.  Search the Web for information about
the CVE, then conclude from, e.g.,
<https://bugzilla.redhat.com/show_bug.cgi?id=891142> and, as an
ultimate resource, <https://bugs.g10code.com/gnupg/issue1455>, that
not just GnuPG 1.4 was fixed
(<http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=f795a0d59e197455f8723c300eebf59e09853efa>),
but 2.0 as well
(<http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=498882296ffac7987c644aaf2a0aa108a2925471>).
For 1.4, 1.4.13 was released after that; for 2.0, there has not
(yet) been a new release.

Conclude GnuPG 2 in pkgsrc/security/gnupg2, currently at version
2.0.19, is vulnerable to the issue.



>Fix:

Wait for GnuPG 2.0.20, and update security/gnupg2 to it.

Alternatively, of course, apply the patch attached, to patch
security/gnupg2 in its current version using a pkgsrc patch, updating
it to a new `PKGREVISION' version.

As far as I can tell the patch as taken from the upstream repository
can be applied on its own effectively (i.e., the fact that there
were other commits made upstream in between the 2.0.19 release and
the date of the commit of the upstream fix doesn't matter); in any
case, the new package was tested to build and install succesfully
on NetBSD/i386 6.0, using an up-to-date checkout of pkgsrc-current.

Along with the package's update, update pkgsrc/doc/CHANGES-2013
accordingly (no patch provided for that).

Additionally, please pull-up the changes made to pkgsrc to the
`pkgsrc-2012Q4' pkgsrc branch, and updating
pkgsrc/doc/CHANGES-pkgsrc-2012Q4 there accordingly as well.

Lastly, apply the patch attached to the pkg-vulnerabilities file.

For both patches attached, the top lines of it provide a proposed
commit message; for at least the package update commit message, a
reference to this PR should be made in addition.

--t0UkRYy7tHLRMCai
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="gnupg2_CVE-2012-6085.patch"

Fix CVE-2012-6085 (GnuPG-bug-id: 1455), bumping `PKGREVISION'.

The patch is copied as-is from upstream Git commit
498882296ffac7987c644aaf2a0aa108a2925471 (in branch `STABLE-BRANCH-2-0'),
titled ``gpg: Import only packets which are allowed in a keyblock.''.

From Bug Hunting.

---

Index: pkgsrc/security/gnupg2/Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnupg2/Makefile,v
retrieving revision 1.41
diff -u -r1.41 Makefile
--- pkgsrc/security/gnupg2/Makefile     16 Dec 2012 01:52:32 -0000      1.41
+++ pkgsrc/security/gnupg2/Makefile     13 Jan 2013 23:14:26 -0000
@@ -2,7 +2,7 @@
 
 DISTNAME=      gnupg-2.0.19
 PKGNAME=       ${DISTNAME:S/gnupg/gnupg2/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    security
 MASTER_SITES=  ftp://ftp.gnupg.org/gcrypt/gnupg/
 EXTRACT_SUFX=  .tar.bz2
Index: pkgsrc/security/gnupg2/distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/gnupg2/distinfo,v
retrieving revision 1.25
diff -u -r1.25 distinfo
--- pkgsrc/security/gnupg2/distinfo     17 Apr 2012 18:35:33 -0000      1.25
+++ pkgsrc/security/gnupg2/distinfo     13 Jan 2013 23:14:26 -0000
@@ -7,3 +7,4 @@
 SHA1 (patch-aj) = bfd21504e0d55f99df543912b1cdf2c573de2f98
 SHA1 (patch-al) = ef7c698ed102c4e27bbf707ae5d1fce4c2b5d8d4
 SHA1 (patch-ao) = 2f91b33271d5e79d48b392cc58978da08ee46e8a
+SHA1 (patch-g10_import.c) = fc5269c2b1e1230cf669cbfc239ed45cbc1dd597
Index: pkgsrc/security/gnupg2/patches/patch-g10_import.c
===================================================================
RCS file: pkgsrc/security/gnupg2/patches/patch-g10_import.c
diff -N pkgsrc/security/gnupg2/patches/patch-g10_import.c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ pkgsrc/security/gnupg2/patches/patch-g10_import.c   13 Jan 2013 23:14:26 
-0000
@@ -0,0 +1,46 @@
+$NetBSD$
+
+Fix CVE-2012-6085 (GnuPG-bug-id: 1455).
+
+Patch taken from
+<http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=498882296ffac7987c644aaf2a0aa108a2925471>.
+
+--- g10/import.c.orig  2012-03-27 08:00:37.000000000 +0000
++++ g10/import.c
+@@ -347,6 +347,27 @@ import_print_stats (void *hd)
+ }
+ 
+ 
++/* Return true if PKTTYPE is valid in a keyblock.  */
++static int
++valid_keyblock_packet (int pkttype)
++{
++  switch (pkttype)
++    {
++    case PKT_PUBLIC_KEY:
++    case PKT_PUBLIC_SUBKEY:
++    case PKT_SECRET_KEY:
++    case PKT_SECRET_SUBKEY:
++    case PKT_SIGNATURE:
++    case PKT_USER_ID:
++    case PKT_ATTRIBUTE:
++    case PKT_RING_TRUST:
++      return 1;
++    default:
++      return 0;
++    }
++}
++
++
+ /****************
+  * Read the next keyblock from stream A.
+  * PENDING_PKT should be initialzed to NULL
+@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pk
+           }
+           in_cert = 1;
+         default:
+-          if( in_cert ) {
++          if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
+               if( !root )
+                   root = new_kbnode( pkt );
+               else

--t0UkRYy7tHLRMCai
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pkg-vulnerabilities_1.4790.patch"

Mention CVE-2012-6085 for security/gnupg2 (like security/gnupg
already is).

From Bug Hunting.

---

--- /tmp/pkg-vulnerabilities_1.4790.orig        2013-01-13 22:54:11.000000000 
+0100
+++ /tmp/pkg-vulnerabilities_1.4790.new 2013-01-13 22:56:33.000000000 +0100
@@ -6501,6 +6501,7 @@
 ettercap-[0-9]*                remote-system-access    
http://secunia.com/advisories/51731/
 ettercap-NG-[0-9]*     remote-system-access    
http://secunia.com/advisories/51731/
 acroread9<9.5.3                multiple-vulnerabilities        
http://www.adobe.com/support/security/bulletins/apsb13-02.html
+gnupg2<2.0.19nb2               multiple-vulnerabilities        
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6085
 #CHECKSUM SHA1 f4edcc19af2757e117b798e774efaec5b53e3c44
 #CHECKSUM SHA512 
6f5bceb4336d34969a75fa40d9a6edc8c1d250874b80e106a883b34e083b4cb1756e9c3104e09098709973b4aefb2a7af04614def1698382388b87fddc32fdc5
 -----BEGIN PGP SIGNATURE-----

--t0UkRYy7tHLRMCai--

>Unformatted:
 --t0UkRYy7tHLRMCai
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

Prev by Date: pkg/47441: Please, pull up sysutils/libnotify to latest version
Next by Date: pkg/47443: Let's update the compiz packages!
Previous by Thread: pkg/47441: Please, pull up sysutils/libnotify to latest version
Next by Thread: pkg/47443: Let's update the compiz packages!
Indexes:

Home | Main Index | Thread Index | Old Index