Date: Fri, 8 Jun 2018 14:18:20 +0000 (UTC) From: Adam Weinberger <adamw@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r472003 - head/security/gnupg Message-ID: <201806081418.w58EIKTT093135@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: adamw Date: Fri Jun 8 14:18:19 2018 New Revision: 472003 URL: https://svnweb.freebsd.org/changeset/ports/472003 Log: Update gnupg to 2.2.8 (security release) CVE-2018-12020: The OpenPGP protocol allows to include the file name of the original input file into a signed or encrypted message. During decryption and verification the GPG tool can display a notice with that file name. The displayed file name is not sanitized and as such may include line feeds or other control characters. This can be used inject terminal control sequences into the out and, worse, to fake the so-called status messages. These status messages are parsed by programs to get information from gpg about the validity of a signature and an other parameters. Status messages are created with the option "--status-fd N" where N is a file descriptor. Now if N is 2 the status messages and the regular diagnostic messages share the stderr output channel. By using a made up file name in the message it is possible to fake status messages. Using this technique it is for example possible to fake the verification status of a signed mail. Also: * gpg: Decryption of messages not using the MDC mode will now lead to a hard failure even if a legacy cipher algorithm was used. The option --ignore-mdc-error can be used to turn this failure into a warning. Take care: Never use that option unconditionally or without a prior warning. * gpg: The MDC encryption mode is now always used regardless of the cipher algorithm or any preferences. For testing --rfc2440 can be used to create a message without an MDC. * gpg: Sanitize the diagnostic output of the original file name in verbose mode. [#4012,CVE-2018-12020] * gpg: Detect suspicious multiple plaintext packets in a more reliable way. [#4000] * gpg: Fix the duplicate key signature detection code. [#3994] * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, --disable-mdc and --no-disable-mdc have no more effect. * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the list of startup environment variables. [#3947] MFH: 2018Q2 Security: CVE-2018-12020 Modified: head/security/gnupg/Makefile head/security/gnupg/distinfo Modified: head/security/gnupg/Makefile ============================================================================== --- head/security/gnupg/Makefile Fri Jun 8 14:16:30 2018 (r472002) +++ head/security/gnupg/Makefile Fri Jun 8 14:18:19 2018 (r472003) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= gnupg -PORTVERSION= 2.2.7 +PORTVERSION= 2.2.8 CATEGORIES= security MASTER_SITES= GNUPG Modified: head/security/gnupg/distinfo ============================================================================== --- head/security/gnupg/distinfo Fri Jun 8 14:16:30 2018 (r472002) +++ head/security/gnupg/distinfo Fri Jun 8 14:18:19 2018 (r472003) @@ -1,3 +1,3 @@ -TIMESTAMP = 1525435894 -SHA256 (gnupg-2.2.7.tar.bz2) = d95b361ee6ef7eff86af40c8c72bf9313736ac9f7010d6604d78bf83818e976e -SIZE (gnupg-2.2.7.tar.bz2) = 6631100 +TIMESTAMP = 1528466286 +SHA256 (gnupg-2.2.8.tar.bz2) = 777b4cb8ced21965a5053d4fa20fe11484f0a478f3d011cef508a1a49db50dcd +SIZE (gnupg-2.2.8.tar.bz2) = 6632465
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806081418.w58EIKTT093135>