From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Jul 23 14:40:03 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 757C11065677 for ; Fri, 23 Jul 2010 14:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 363458FC13 for ; Fri, 23 Jul 2010 14:40:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6NEe3Hd057842 for ; Fri, 23 Jul 2010 14:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6NEe3Al057841; Fri, 23 Jul 2010 14:40:03 GMT (envelope-from gnats) Resent-Date: Fri, 23 Jul 2010 14:40:03 GMT Resent-Message-Id: <201007231440.o6NEe3Al057841@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Hirohisa Yamaguchi Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 366C71065688 for ; Fri, 23 Jul 2010 14:31:19 +0000 (UTC) (envelope-from umq@ueo.co.jp) Received: from msa03b.plala.or.jp (msa03.plala.or.jp [58.93.240.3]) by mx1.freebsd.org (Postfix) with ESMTP id C05288FC0A for ; Fri, 23 Jul 2010 14:31:17 +0000 (UTC) Received: from terpsichore.kaumoge.org ([114.188.36.124]) by msa03b.plala.or.jp with ESMTP id <20100723143116.MECU31992.msa03b.plala.or.jp@terpsichore.kaumoge.org> for ; Fri, 23 Jul 2010 23:31:16 +0900 Received: from calliope.kaumoge.org (calliope.kaumoge.org [192.168.24.120]) by terpsichore.kaumoge.org (8.14.3/8.14.2/20080818) with ESMTP id o6NEVGkc024592 for ; Fri, 23 Jul 2010 23:31:16 +0900 (JST) (envelope-from umq@ueo.co.jp) Message-Id: <861vaugtho.wl%umq@ueo.co.jp> Date: Fri, 23 Jul 2010 23:31:15 +0900 From: Hirohisa Yamaguchi To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/148866: security/gnupg security patch from upstream X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Jul 2010 14:40:03 -0000 >Number: 148866 >Category: ports >Synopsis: security/gnupg security patch from upstream >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Jul 23 14:40:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Hirohisa Yamaguchi >Release: FreeBSD 8.0-BETA2 amd64 >Organization: >Environment: System: FreeBSD calliope.****.org 8.0-BETA2 FreeBSD 8.0-BETA2 #21: Sun Aug 16 19:47:51 JST 2009 root@calliope.****.org:/usr/obj/usr/src/sys/CALLIOPE64 amd64 >Description: gpgsm in security/gnupg has realloc bug. > An exploit is not yet known but it can't be ruled out for sure that > the problem has not already been identified by some dark forces. Announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2010q3/000302.html newer version 2.0.17 might be coming shortly. >How-To-Repeat: Importing a certificate with more than 98 Subject Alternate Names via GPGSM's import command or implicitly while verifying a signature causes GPGSM to reallocate an array with the names. The bug is that the reallocation code misses assigning the reallocated array to the old array variable and thus the old and freed array will be used. Usually this leads to a segv. >Fix: the patch follows: diff -Npru ports.org/security/gnupg/Makefile ports/security/gnupg/Makefile --- ports.org/security/gnupg/Makefile 2010-07-23 23:04:04.000000000 +0900 +++ ports/security/gnupg/Makefile 2010-07-23 23:04:32.000000000 +0900 @@ -7,6 +7,7 @@ PORTNAME= gnupg PORTVERSION= 2.0.16 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GNUPG} MASTER_SITE_SUBDIR= gnupg diff -Npru ports.org/security/gnupg/files/patch-kbx__keybox-blob.c ports/security/gnupg/files/patch-kbx__keybox-blob.c --- ports.org/security/gnupg/files/patch-kbx__keybox-blob.c 1970-01-01 09:00:00.000000000 +0900 +++ ports/security/gnupg/files/patch-kbx__keybox-blob.c 2010-07-23 22:52:09.000000000 +0900 @@ -0,0 +1,10 @@ +--- ./kbx/keybox-blob.c.orig 2009-09-22 01:53:44.000000000 +0900 ++++ ./kbx/keybox-blob.c 2010-07-23 22:51:55.000000000 +0900 +@@ -898,6 +898,7 @@ + rc = gpg_error_from_syserror (); + goto leave; + } ++ names = tmp; + } + names[blob->nuids++] = p; + if (!i && (p=x509_email_kludge (p))) >Release-Note: >Audit-Trail: >Unformatted: