Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Jul 2010 23:31:15 +0900
From:      Hirohisa Yamaguchi <umq@ueo.co.jp>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/148866: security/gnupg security patch from upstream
Message-ID:  <861vaugtho.wl%umq@ueo.co.jp>
Resent-Message-ID: <201007231440.o6NEe3Al057841@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         148866
>Category:       ports
>Synopsis:       security/gnupg security patch from upstream
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 23 14:40:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Hirohisa Yamaguchi
>Release:        FreeBSD 8.0-BETA2 amd64
>Organization:
<organization of PR author (multiple lines)>
>Environment:
System: FreeBSD calliope.****.org 8.0-BETA2 FreeBSD 8.0-BETA2 #21: Sun Aug 16 19:47:51 JST 2009 root@calliope.****.org:/usr/obj/usr/src/sys/CALLIOPE64 amd64


>Description:
	gpgsm in security/gnupg has realloc bug.
	> An exploit is not yet known but it can't be ruled out for sure that
	> the problem has not already been identified by some dark forces.
	Announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2010q3/000302.html

	newer version 2.0.17 might be coming shortly.
>How-To-Repeat:
	Importing a certificate with more than 98 Subject Alternate
	Names via GPGSM's import command or implicitly while verifying
	a signature causes GPGSM to reallocate an array with the
	names.  The bug is that the reallocation code misses assigning
	the reallocated array to the old array variable and thus the
	old and freed array will be used.  Usually this leads to a
	segv.

>Fix:

	the patch follows:

diff -Npru ports.org/security/gnupg/Makefile ports/security/gnupg/Makefile
--- ports.org/security/gnupg/Makefile	2010-07-23 23:04:04.000000000 +0900
+++ ports/security/gnupg/Makefile	2010-07-23 23:04:32.000000000 +0900
@@ -7,6 +7,7 @@

 PORTNAME=	gnupg
 PORTVERSION=	2.0.16
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	gnupg
diff -Npru ports.org/security/gnupg/files/patch-kbx__keybox-blob.c ports/security/gnupg/files/patch-kbx__keybox-blob.c
--- ports.org/security/gnupg/files/patch-kbx__keybox-blob.c	1970-01-01 09:00:00.000000000 +0900
+++ ports/security/gnupg/files/patch-kbx__keybox-blob.c	2010-07-23 22:52:09.000000000 +0900
@@ -0,0 +1,10 @@
+--- ./kbx/keybox-blob.c.orig	2009-09-22 01:53:44.000000000 +0900
++++ ./kbx/keybox-blob.c	2010-07-23 22:51:55.000000000 +0900
+@@ -898,6 +898,7 @@
+               rc = gpg_error_from_syserror ();
+               goto leave;
+             }
++          names = tmp;
+         }
+       names[blob->nuids++] = p;
+       if (!i && (p=x509_email_kludge (p)))
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861vaugtho.wl%umq>