CVS commit: pkgsrc/security/gnupg2

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Jun 30 14:48:55 UTC 2022

Modified Files:
        pkgsrc/security/gnupg2: Makefile distinfo
Added Files:
        pkgsrc/security/gnupg2/patches: patch-g10_cpr.c

Log Message:
gnupg2: fix possible security issue

Per
https://www.openwall.com/lists/oss-security/2022/06/30/1
using upstream patch.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.133 -r1.134 pkgsrc/security/gnupg2/Makefile
cvs rdiff -u -r1.73 -r1.74 pkgsrc/security/gnupg2/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnupg2/patches/patch-g10_cpr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnupg2/Makefile
diff -u pkgsrc/security/gnupg2/Makefile:1.133 pkgsrc/security/gnupg2/Makefile:1.134
--- pkgsrc/security/gnupg2/Makefile:1.133       Tue Apr 26 08:15:35 2022
+++ pkgsrc/security/gnupg2/Makefile     Thu Jun 30 14:48:55 2022
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.133 2022/04/26 08:15:35 adam Exp $
+# $NetBSD: Makefile,v 1.134 2022/06/30 14:48:55 wiz Exp $
 
 DISTNAME=      gnupg-2.2.35
 PKGNAME=       ${DISTNAME:S/gnupg-/gnupg2-/}
+PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  ftp://ftp.gnupg.org/gcrypt/gnupg/
 MASTER_SITES+= http://mirrors.dotsrc.org/gcrypt/gnupg/

Index: pkgsrc/security/gnupg2/distinfo
diff -u pkgsrc/security/gnupg2/distinfo:1.73 pkgsrc/security/gnupg2/distinfo:1.74
--- pkgsrc/security/gnupg2/distinfo:1.73        Tue Apr 26 08:15:35 2022
+++ pkgsrc/security/gnupg2/distinfo     Thu Jun 30 14:48:55 2022
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.73 2022/04/26 08:15:35 adam Exp $
+$NetBSD: distinfo,v 1.74 2022/06/30 14:48:55 wiz Exp $
 
 BLAKE2s (gnupg-2.2.35.tar.bz2) = 74f0a044b85c30a11a59bed4e21c322c7a77c839639996fa30f5e3bee8433830
 SHA512 (gnupg-2.2.35.tar.bz2) = ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
 Size (gnupg-2.2.35.tar.bz2) = 7262687 bytes
 SHA1 (patch-common_sysutils.c) = 569c12e21172c1521284922244b2f4f361c945d6
+SHA1 (patch-g10_cpr.c) = 0a691eb6e6463ce9f9e3e735d3b2d587195a05cc

Added files:

Index: pkgsrc/security/gnupg2/patches/patch-g10_cpr.c
diff -u /dev/null pkgsrc/security/gnupg2/patches/patch-g10_cpr.c:1.1
--- /dev/null   Thu Jun 30 14:48:55 2022
+++ pkgsrc/security/gnupg2/patches/patch-g10_cpr.c      Thu Jun 30 14:48:55 2022
@@ -0,0 +1,40 @@
+$NetBSD: patch-g10_cpr.c,v 1.1 2022/06/30 14:48:55 wiz Exp $
+
+g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong. Fixed by always using a break to
+terminate the escape detection loop. Might have happened for all
+status lines which may wrap.
+
+https://dev.gnupg.org/rG34c649b3601383cd11dbc76221747ec16fd68e1b
+
+--- g10/cpr.c.orig     2022-02-24 13:06:37.000000000 +0000
++++ g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, co
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);