[pkgsrc/trunk]: pkgsrc/security/netpgpverify/files Update netpgpverify (and l...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/netpgpverify/files Update netpgpverify (and l...
From: agc <agc%pkgsrc.org@localhost>
Date: Wed, 15 Jan 2020 05:30:26 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bd184598a033
branches:  trunk
changeset: 348491:bd184598a033
user:      agc <agc%pkgsrc.org@localhost>
date:      Tue Jun 14 18:00:59 2016 +0000

description:
Update netpgpverify (and libnetpgpverify) to 20160614

+ handle signatures created by gpg with "--no-emit-version", don't assume
there will always be a version string.

+ add a test for above

Fixes security PR/51240.

Thanks to xnox%ubuntu.com@localhost for reporting the error

diffstat:

 security/netpgpverify/files/Makefile.bsd  |   4 +++-
 security/netpgpverify/files/Makefile.in   |   4 +++-
 security/netpgpverify/files/libverify.c   |  15 ++++++++++-----
 security/netpgpverify/files/noversion.asc |  14 ++++++++++++++
 security/netpgpverify/files/verify.h      |   4 ++--
 5 files changed, 32 insertions(+), 9 deletions(-)

diffs (92 lines):

diff -r 603fc105c4df -r bd184598a033 security/netpgpverify/files/Makefile.bsd
--- a/security/netpgpverify/files/Makefile.bsd  Tue Jun 14 17:57:39 2016 +0000
+++ b/security/netpgpverify/files/Makefile.bsd  Tue Jun 14 18:00:59 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.bsd,v 1.8 2015/02/05 00:21:57 agc Exp $
+# $NetBSD: Makefile.bsd,v 1.9 2016/06/14 18:00:59 agc Exp $
 
 PROG=netpgpverify
 
@@ -43,3 +43,5 @@
        rm -f 1keytest.gpg
        @echo "testing signing with a subkey"
        ./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
+       @echo "testing signatures with no version"
+       ./${PROG} -k pubring.gpg noversion.asc
diff -r 603fc105c4df -r bd184598a033 security/netpgpverify/files/Makefile.in
--- a/security/netpgpverify/files/Makefile.in   Tue Jun 14 17:57:39 2016 +0000
+++ b/security/netpgpverify/files/Makefile.in   Tue Jun 14 18:00:59 2016 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.in,v 1.4 2015/08/17 11:37:55 jperkin Exp $
+# $NetBSD: Makefile.in,v 1.5 2016/06/14 18:00:59 agc Exp $
 
 PROG=netpgpverify
 
@@ -43,6 +43,8 @@
        rm -f 1keytest.gpg
        @echo "testing signing with a subkey"
        ./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
+       @echo "testing signatures with no version"
+       ./${PROG} -k pubring.gpg noversion.asc
 
 clean:
        rm -rf *.core ${OBJS} ${PROG}
diff -r 603fc105c4df -r bd184598a033 security/netpgpverify/files/libverify.c
--- a/security/netpgpverify/files/libverify.c   Tue Jun 14 17:57:39 2016 +0000
+++ b/security/netpgpverify/files/libverify.c   Tue Jun 14 18:00:59 2016 +0000
@@ -2022,12 +2022,17 @@
        }
        litdata.u.litdata.len = litdata.s.size = (size_t)(p - datastart);
        p += strlen(SIGSTART);
-       if ((p = find_bin_string(p, mem->size, "\n\n",  2)) == NULL) {
-               snprintf(cursor->why, sizeof(cursor->why),
-                       "malformed armed signature at %zu", (size_t)(p - mem->mem));
-               return 0;
+       /* Work out whther there's a version line */
+       if (memcmp(p, "Version:", 8) == 0) {
+               if ((p = find_bin_string(p, mem->size, "\n\n",  2)) == NULL) {
+                       snprintf(cursor->why, sizeof(cursor->why),
+                               "malformed armed signature at %zu", (size_t)(p - mem->mem));
+                       return 0;
+               }
+               p += 2;
+       } else {
+               p += 1;
        }
-       p += 2;
        sigend = find_bin_string(p, mem->size, SIGEND, strlen(SIGEND));
        binsigsize = b64decode((char *)p, (size_t)(sigend - p), binsig, sizeof(binsig));
 
diff -r 603fc105c4df -r bd184598a033 security/netpgpverify/files/noversion.asc
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/netpgpverify/files/noversion.asc Tue Jun 14 18:00:59 2016 +0000
@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bar
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAEBAgAGBQJXYEJcAAoJEBto3PzAWWgjk5cH/03A4/a+ywsnzZMncQ7H7rtu
+QiIWwyiJo28Xf5z3fL5WG6VKNJdPpx0TIthcxu0O1YgF6lvqqQbnNpfNbD+1h88+
+JCcqJfyVk38vsFPxdFTIOWjbEtHs9yyjUVk5tJQrxtTaSJbGtQIMHQXXfWAyKCn4
+0Zl+E2iWb6tXxxMaAkrCOipjC9knuTJJbG6oVZpujp7jOt+2bOWY+89+FhoGJ5tv
+XiOvqIUUSW5Iua+wBOmhb/iuNFUVrO8rS/7BpMLQmxbnLxWtwwSWIcyyg6BwiIvm
+8K5NmD3WKN97tPA1HYjk76SlLj254OVLDmTZua7ljqasl5PR9W+aUFIByDgQrGE=
+=90+m
+-----END PGP SIGNATURE-----
diff -r 603fc105c4df -r bd184598a033 security/netpgpverify/files/verify.h
--- a/security/netpgpverify/files/verify.h      Tue Jun 14 17:57:39 2016 +0000
+++ b/security/netpgpverify/files/verify.h      Tue Jun 14 18:00:59 2016 +0000
@@ -23,9 +23,9 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #ifndef NETPGP_VERIFY_H_
-#define NETPGP_VERIFY_H_       20160313
+#define NETPGP_VERIFY_H_       20160614
 
-#define NETPGPVERIFY_VERSION   "netpgpverify portable 20160313"
+#define NETPGPVERIFY_VERSION   "netpgpverify portable 20160614"
 
 #include <sys/types.h>

Prev by Date: [pkgsrc/trunk]: pkgsrc/devel Git 2.9 Release Notes
Next by Date: [pkgsrc/trunk]: pkgsrc/sysutils/i3status Set proper VARBASE in the example co...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/devel Git 2.9 Release Notes
Next by Thread: [pkgsrc/trunk]: pkgsrc/sysutils/i3status Set proper VARBASE in the example co...
Indexes:

Home | Main Index | Thread Index | Old Index