gnupg: added 1.4.2.2 which contain security fixes: CVE-2006-0049

5 files changed, 209 insertions, 0 deletions

diff --git a/packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty b/packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty
diff --git a/packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch b/packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch
new file mode 100644
index 0000000000..20949a7d49
--- /dev/null
+++ b/packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch
@@ -0,0 +1,93 @@
+--- /home/weasel/tmp/debian-gpg/gnupg-1.2.5/g10/status.c	2004-07-21 09:59:45.000000000 +0200
++++ gnupg-1.2.5/g10/status.c	2004-08-01 20:07:42.071690680 +0200
+@@ -346,6 +346,9 @@
+ {
+     char buf[100];
+     struct shmid_ds shmds;
++#ifdef USE_CAPABILITIES
++    cap_t caps;
++#endif
+ 
+ #ifndef IPC_RMID_DEFERRED_RELEASE
+     atexit( remove_shmid );
+@@ -371,7 +374,9 @@
+ 			    (unsigned)shm_size/1024, shm_area, shm_id );
+     if( lock_mem ) {
+ #ifdef USE_CAPABILITIES
+-	cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
++	caps = cap_from_text("cap_ipc_lock=ep");
++	cap_set_proc( caps );
++	cap_free( caps );
+ #endif
+ 	/* (need the cast for Solaris with Sun's workshop compilers) */
+ 	if ( mlock ( (char*)shm_area, shm_size) )
+@@ -380,7 +385,9 @@
+ 	else
+ 	    shm_is_locked = 1;
+ #ifdef USE_CAPABILITIES
+-	cap_set_proc( cap_from_text("cap_ipc_lock+p") );
++	caps = cap_from_text("cap_ipc_lock=p");
++	cap_set_proc( caps );
++	cap_free( caps );
+ #endif
+     }
+ 
+@@ -407,7 +414,9 @@
+ 
+     if( lock_mem ) {
+ #ifdef USE_CAPABILITIES
+-	cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
++	caps = cap_from_text("cap_ipc_lock=ep");
++	cap_set_proc( caps );
++	cap_free( caps );
+ #endif
+ #ifdef IPC_HAVE_SHM_LOCK
+ 	if ( shmctl (shm_id, SHM_LOCK, 0) )
+@@ -419,7 +428,9 @@
+ 	log_info("Locking shared memory %d failed: No way to do it\n", shm_id );
+ #endif
+ #ifdef USE_CAPABILITIES
+-	cap_set_proc( cap_from_text("cap_ipc_lock+p") );
++	caps = cap_from_text("cap_ipc_lock=p");
++	cap_set_proc( caps );
++	cap_free( caps );
+ #endif
+     }
+ 
+--- /home/weasel/tmp/debian-gpg/gnupg-1.2.5/util/secmem.c	2004-02-24 17:06:58.000000000 +0100
++++ gnupg-1.2.5/util/secmem.c	2004-08-01 20:08:10.873412378 +0200
+@@ -97,12 +97,18 @@
+ {
+ #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK)
+     int err;
++    cap_t caps;
++
++    caps = cap_from_text("cap_ipc_lock=ep");
++    cap_set_proc( caps );
++    cap_free( caps );
+ 
+-    cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
+     err = mlock( p, n );
+     if( err && errno )
+ 	err = errno;
+-    cap_set_proc( cap_from_text("cap_ipc_lock+p") );
++    caps = cap_from_text("cap_ipc_lock=p");
++    cap_set_proc( caps );
++    cap_free( caps );
+ 
+     if( err ) {
+ 	if( errno != EPERM
+@@ -301,8 +307,12 @@
+     if( !n ) {
+ #ifndef __riscos__
+ #ifdef USE_CAPABILITIES
++	cap_t caps;
++
+ 	/* drop all capabilities */
+-	cap_set_proc( cap_from_text("all-eip") );
++	caps = cap_from_text("all-eip");
++	cap_set_proc( caps );
++	cap_free( caps );
+ 
+ #elif !defined(HAVE_DOSISH_SYSTEM)
+ 	uid_t uid;
diff --git a/packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch b/packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch
new file mode 100644
index 0000000000..b29233b33b
--- /dev/null
+++ b/packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch
@@ -0,0 +1,68 @@
+--- gnupg-1.4.0/g10/g10.c	2004-12-16 09:47:36.000000000 +0000
++++ /tmp/dpep.O5S02c/gnupg-1.4.0/g10/g10.c	2005-02-03 23:31:40.645873299 +0000
+@@ -69,6 +69,11 @@
+ #endif
+ 
+ 
++#ifdef USE_CAPABILITIES
++#include <sys/capability.h>
++#include <sys/prctl.h>
++#endif
++
+ enum cmd_and_opt_values
+   {
+     aNull = 0,
+@@ -1618,6 +1623,10 @@
+ #ifdef USE_SHM_COPROCESSING
+     ulong requested_shm_size=0;
+ #endif
++#ifdef USE_CAPABILITIES
++    uid_t curr_uid;
++    cap_t caps;
++#endif
+ 
+ #ifdef __riscos__
+     opt.lock_once = 1;
+@@ -1629,6 +1638,33 @@
+      * when adding any stuff between here and the call to
+      * secmem_init()  somewhere after the option parsing
+      */
++
++    /* if we use capabilities and run as root, we can immediately setuid back
++     * to the normal user and only keep CAP_IPC_LOCK until the shared memory is
++     * set up.
++     */
++#ifdef USE_CAPABILITIES
++    curr_uid = getuid();
++    if( curr_uid && !geteuid() ) { /* we are setuid root */
++	if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) {
++	    perror( "main(): could not keep capabilities" );
++	    return -100;
++	}
++
++	if( setuid( curr_uid ) ) {
++	    perror( "main(): could not set user id" );
++	    return -100;
++	}
++
++	caps = cap_from_text( "cap_ipc_lock=p" );
++	if( cap_set_proc( caps ) ) {
++	    perror( "main(): could not install capabilities" );
++	    return -100;
++	}
++	cap_free( caps );
++    }
++#endif
++
+     log_set_name("gpg");
+     secure_random_alloc(); /* put random number into secure memory */
+     may_coredump = disable_core_dumps();
+@@ -1747,7 +1783,7 @@
+     }
+ #endif
+     /* initialize the secure memory. */
+-    got_secmem=secmem_init( 32768 );
++    got_secmem=secmem_init( 32768 ); /* this will drop all remaining privileges */
+     maybe_setuid = 0;
+     /* Okay, we are now working under our real uid */
+ 
diff --git a/packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch b/packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch
new file mode 100644
index 0000000000..8f13db4d23
--- /dev/null
+++ b/packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch
@@ -0,0 +1,37 @@
+diff -urNad gnupg-1.4.2~/mpi/mpicoder.c gnupg-1.4.2/mpi/mpicoder.c
+--- gnupg-1.4.2~/mpi/mpicoder.c	2005-05-31 06:30:05.000000000 +0000
++++ gnupg-1.4.2/mpi/mpicoder.c	2005-09-29 00:52:19.000000000 +0000
+@@ -80,16 +80,20 @@
+     mpi_limb_t a;
+     MPI val = MPI_NULL;
+ 
++    if (nread == nmax)
++        goto overflow;
+     if( (c = iobuf_get(inp)) == -1 )
+ 	goto leave;
+-    if (++nread >= nmax)
+-        goto overflow;
++    nread++;
+     nbits = c << 8;
++
++    if (nread == nmax)
++        goto overflow;
+     if( (c = iobuf_get(inp)) == -1 )
+ 	goto leave;
+-    if (++nread >= nmax)
+-        goto overflow;
++    nread++;
+     nbits |= c;
++
+     if( nbits > MAX_EXTERN_MPI_BITS ) {
+ 	log_error("mpi too large for this implementation (%u bits)\n", nbits);
+ 	goto leave;
+@@ -112,7 +116,7 @@
+     for( ; j > 0; j-- ) {
+ 	a = 0;
+ 	for(; i < BYTES_PER_MPI_LIMB; i++ ) {
+-            if (nread >= nmax) {
++            if (nread == nmax) {
+ #ifdef M_DEBUG
+                 mpi_debug_free (val);
+ #else
diff --git a/packages/gnupg/gnupg_1.4.2.2.bb b/packages/gnupg/gnupg_1.4.2.2.bb
new file mode 100644
index 0000000000..07f62aba16
--- /dev/null
+++ b/packages/gnupg/gnupg_1.4.2.2.bb
@@ -0,0 +1,11 @@
+include gnupg.inc
+
+DEPENDS += "readline"
+EXTRA_OECONF += "--with-readline=${STAGING_LIBDIR}/.."
+#   --without-readline      do not support fancy command line editing
+
+SRC_URI += "file://15_free_caps.patch;patch=1 \
+	    file://16_min_privileges.patch;patch=1 \
+	    file://22_zero_length_mpi_fix.patch;patch=1 "
+
+S = "${WORKDIR}/gnupg-${PV}"