From cda6a1333699525ab6ee21ab1b45993e284aae20 Mon Sep 17 00:00:00 2001 From: Marcin Juszkiewicz Date: Mon, 20 Mar 2006 19:59:23 +0000 Subject: gnupg: added 1.4.2.2 which contain security fixes: CVE-2006-0049 --- packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty | 0 packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch | 93 ++++++++++++++++++++++ .../gnupg/gnupg-1.4.2.2/16_min_privileges.patch | 68 ++++++++++++++++ .../gnupg-1.4.2.2/22_zero_length_mpi_fix.patch | 37 +++++++++ packages/gnupg/gnupg_1.4.2.2.bb | 11 +++ 5 files changed, 209 insertions(+) create mode 100644 packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty create mode 100644 packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch create mode 100644 packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch create mode 100644 packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch create mode 100644 packages/gnupg/gnupg_1.4.2.2.bb diff --git a/packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty b/packages/gnupg/gnupg-1.4.2.2/.mtn2git_empty new file mode 100644 index 0000000000..e69de29bb2 diff --git a/packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch b/packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch new file mode 100644 index 0000000000..20949a7d49 --- /dev/null +++ b/packages/gnupg/gnupg-1.4.2.2/15_free_caps.patch @@ -0,0 +1,93 @@ +--- /home/weasel/tmp/debian-gpg/gnupg-1.2.5/g10/status.c 2004-07-21 09:59:45.000000000 +0200 ++++ gnupg-1.2.5/g10/status.c 2004-08-01 20:07:42.071690680 +0200 +@@ -346,6 +346,9 @@ + { + char buf[100]; + struct shmid_ds shmds; ++#ifdef USE_CAPABILITIES ++ cap_t caps; ++#endif + + #ifndef IPC_RMID_DEFERRED_RELEASE + atexit( remove_shmid ); +@@ -371,7 +374,9 @@ + (unsigned)shm_size/1024, shm_area, shm_id ); + if( lock_mem ) { + #ifdef USE_CAPABILITIES +- cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); ++ caps = cap_from_text("cap_ipc_lock=ep"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + #endif + /* (need the cast for Solaris with Sun's workshop compilers) */ + if ( mlock ( (char*)shm_area, shm_size) ) +@@ -380,7 +385,9 @@ + else + shm_is_locked = 1; + #ifdef USE_CAPABILITIES +- cap_set_proc( cap_from_text("cap_ipc_lock+p") ); ++ caps = cap_from_text("cap_ipc_lock=p"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + #endif + } + +@@ -407,7 +414,9 @@ + + if( lock_mem ) { + #ifdef USE_CAPABILITIES +- cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); ++ caps = cap_from_text("cap_ipc_lock=ep"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + #endif + #ifdef IPC_HAVE_SHM_LOCK + if ( shmctl (shm_id, SHM_LOCK, 0) ) +@@ -419,7 +428,9 @@ + log_info("Locking shared memory %d failed: No way to do it\n", shm_id ); + #endif + #ifdef USE_CAPABILITIES +- cap_set_proc( cap_from_text("cap_ipc_lock+p") ); ++ caps = cap_from_text("cap_ipc_lock=p"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + #endif + } + +--- /home/weasel/tmp/debian-gpg/gnupg-1.2.5/util/secmem.c 2004-02-24 17:06:58.000000000 +0100 ++++ gnupg-1.2.5/util/secmem.c 2004-08-01 20:08:10.873412378 +0200 +@@ -97,12 +97,18 @@ + { + #if defined(USE_CAPABILITIES) && defined(HAVE_MLOCK) + int err; ++ cap_t caps; ++ ++ caps = cap_from_text("cap_ipc_lock=ep"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + +- cap_set_proc( cap_from_text("cap_ipc_lock+ep") ); + err = mlock( p, n ); + if( err && errno ) + err = errno; +- cap_set_proc( cap_from_text("cap_ipc_lock+p") ); ++ caps = cap_from_text("cap_ipc_lock=p"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + + if( err ) { + if( errno != EPERM +@@ -301,8 +307,12 @@ + if( !n ) { + #ifndef __riscos__ + #ifdef USE_CAPABILITIES ++ cap_t caps; ++ + /* drop all capabilities */ +- cap_set_proc( cap_from_text("all-eip") ); ++ caps = cap_from_text("all-eip"); ++ cap_set_proc( caps ); ++ cap_free( caps ); + + #elif !defined(HAVE_DOSISH_SYSTEM) + uid_t uid; diff --git a/packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch b/packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch new file mode 100644 index 0000000000..b29233b33b --- /dev/null +++ b/packages/gnupg/gnupg-1.4.2.2/16_min_privileges.patch @@ -0,0 +1,68 @@ +--- gnupg-1.4.0/g10/g10.c 2004-12-16 09:47:36.000000000 +0000 ++++ /tmp/dpep.O5S02c/gnupg-1.4.0/g10/g10.c 2005-02-03 23:31:40.645873299 +0000 +@@ -69,6 +69,11 @@ + #endif + + ++#ifdef USE_CAPABILITIES ++#include ++#include ++#endif ++ + enum cmd_and_opt_values + { + aNull = 0, +@@ -1618,6 +1623,10 @@ + #ifdef USE_SHM_COPROCESSING + ulong requested_shm_size=0; + #endif ++#ifdef USE_CAPABILITIES ++ uid_t curr_uid; ++ cap_t caps; ++#endif + + #ifdef __riscos__ + opt.lock_once = 1; +@@ -1629,6 +1638,33 @@ + * when adding any stuff between here and the call to + * secmem_init() somewhere after the option parsing + */ ++ ++ /* if we use capabilities and run as root, we can immediately setuid back ++ * to the normal user and only keep CAP_IPC_LOCK until the shared memory is ++ * set up. ++ */ ++#ifdef USE_CAPABILITIES ++ curr_uid = getuid(); ++ if( curr_uid && !geteuid() ) { /* we are setuid root */ ++ if( prctl( PR_SET_KEEPCAPS, 1, 0, 0, 0 ) ) { ++ perror( "main(): could not keep capabilities" ); ++ return -100; ++ } ++ ++ if( setuid( curr_uid ) ) { ++ perror( "main(): could not set user id" ); ++ return -100; ++ } ++ ++ caps = cap_from_text( "cap_ipc_lock=p" ); ++ if( cap_set_proc( caps ) ) { ++ perror( "main(): could not install capabilities" ); ++ return -100; ++ } ++ cap_free( caps ); ++ } ++#endif ++ + log_set_name("gpg"); + secure_random_alloc(); /* put random number into secure memory */ + may_coredump = disable_core_dumps(); +@@ -1747,7 +1783,7 @@ + } + #endif + /* initialize the secure memory. */ +- got_secmem=secmem_init( 32768 ); ++ got_secmem=secmem_init( 32768 ); /* this will drop all remaining privileges */ + maybe_setuid = 0; + /* Okay, we are now working under our real uid */ + diff --git a/packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch b/packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch new file mode 100644 index 0000000000..8f13db4d23 --- /dev/null +++ b/packages/gnupg/gnupg-1.4.2.2/22_zero_length_mpi_fix.patch @@ -0,0 +1,37 @@ +diff -urNad gnupg-1.4.2~/mpi/mpicoder.c gnupg-1.4.2/mpi/mpicoder.c +--- gnupg-1.4.2~/mpi/mpicoder.c 2005-05-31 06:30:05.000000000 +0000 ++++ gnupg-1.4.2/mpi/mpicoder.c 2005-09-29 00:52:19.000000000 +0000 +@@ -80,16 +80,20 @@ + mpi_limb_t a; + MPI val = MPI_NULL; + ++ if (nread == nmax) ++ goto overflow; + if( (c = iobuf_get(inp)) == -1 ) + goto leave; +- if (++nread >= nmax) +- goto overflow; ++ nread++; + nbits = c << 8; ++ ++ if (nread == nmax) ++ goto overflow; + if( (c = iobuf_get(inp)) == -1 ) + goto leave; +- if (++nread >= nmax) +- goto overflow; ++ nread++; + nbits |= c; ++ + if( nbits > MAX_EXTERN_MPI_BITS ) { + log_error("mpi too large for this implementation (%u bits)\n", nbits); + goto leave; +@@ -112,7 +116,7 @@ + for( ; j > 0; j-- ) { + a = 0; + for(; i < BYTES_PER_MPI_LIMB; i++ ) { +- if (nread >= nmax) { ++ if (nread == nmax) { + #ifdef M_DEBUG + mpi_debug_free (val); + #else diff --git a/packages/gnupg/gnupg_1.4.2.2.bb b/packages/gnupg/gnupg_1.4.2.2.bb new file mode 100644 index 0000000000..07f62aba16 --- /dev/null +++ b/packages/gnupg/gnupg_1.4.2.2.bb @@ -0,0 +1,11 @@ +include gnupg.inc + +DEPENDS += "readline" +EXTRA_OECONF += "--with-readline=${STAGING_LIBDIR}/.." +# --without-readline do not support fancy command line editing + +SRC_URI += "file://15_free_caps.patch;patch=1 \ + file://16_min_privileges.patch;patch=1 \ + file://22_zero_length_mpi_fix.patch;patch=1 " + +S = "${WORKDIR}/gnupg-${PV}" -- cgit v1.2.3