head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.2
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2013Q1:1.1.0.4
	pkgsrc-2013Q1-base:1.1
	pkgsrc-2012Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2013.05.29.22.53.36;	author wiz;	state dead;
branches;
next	1.1;
commitid	TArHjDaKeSPGZzRw;

1.1
date	2013.01.15.11.21.50;	author drochner;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2013.01.15.11.21.50;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2013.01.18.16.43.23;	author tron;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to 2.0.20:

Noteworthy changes in version 2.0.20 (2013-05-10)
-------------------------------------------------

 * Decryption using smartcards keys > 3072 bit does now work.

 * New meta option ignore-invalid-option to allow using the same
   option file by other GnuPG versions.

 * gpg: The hash algorithm is now printed for sig records in key listings.

 * gpg: Skip invalid keyblock packets during import to avoid a DoS.

 * gpg: Correctly handle ports from DNS SRV records.

 * keyserver: Improve use of SRV records

 * gpg-agent: Avoid tty corruption when killing pinentry.

 * scdaemon: Improve detection of card insertion and removal.

 * scdaemon: Rename option --disable-keypad to --disable-pinpad.

 * scdaemon: Better support for CCID readers.  Now, the internal CCID
   driver supports readers without the auto configuration feature.

 * scdaemon: Add pinpad input for PC/SC, if your reader has pinpad and
   it supports variable length PIN input, and you specify
   --enable-pinpad-varlen option.

 * scdaemon: New option --enable-pinpad-varlen.

 * scdaemon: Install into libexecdir to avoid accidental execution
   from the command line.

 * Support building using w64-mingw32.

 * Assorted bug fixes.
@
text
@$NetBSD: patch-CVE-2012-6085,v 1.1 2013/01/15 11:21:50 drochner Exp $

upstream rev. 498882296ffac7987c644aaf2a0aa108a2925471

--- g10/import.c.orig	2012-03-27 08:00:37.000000000 +0000
+++ g10/import.c
@@@@ -347,6 +347,27 @@@@ import_print_stats (void *hd)
 }
 
 
+/* Return true if PKTTYPE is valid in a keyblock.  */
+static int
+valid_keyblock_packet (int pkttype)
+{
+  switch (pkttype)
+    {
+    case PKT_PUBLIC_KEY:
+    case PKT_PUBLIC_SUBKEY:
+    case PKT_SECRET_KEY:
+    case PKT_SECRET_SUBKEY:
+    case PKT_SIGNATURE:
+    case PKT_USER_ID:
+    case PKT_ATTRIBUTE:
+    case PKT_RING_TRUST:
+      return 1;
+    default:
+      return 0;
+    }
+}
+
+
 /****************
  * Read the next keyblock from stream A.
  * PENDING_PKT should be initialzed to NULL
@@@@ -424,7 +445,7 @@@@ read_block( IOBUF a, PACKET **pending_pk
 	    }
 	    in_cert = 1;
 	  default:
-	    if( in_cert ) {
+	    if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
 		if( !root )
 		    root = new_kbnode( pkt );
 		else
@


1.1
log
@add patch from upstream to fix possible keyring corruption
on import of corrupted keys (CVE-2012-6085), bump PKGREV
from "Bug Hunting" per PR pkg/47442
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-CVE-2012-6085 was added on branch pkgsrc-2012Q4 on 2013-01-18 16:43:23 +0000
@
text
@d1 43
@


1.1.2.2
log
@Pullup ticket #4029 - requested by drochner
security/gnupg2: security patch

Revisions pulled up:
- security/gnupg2/Makefile                                      1.42
- security/gnupg2/distinfo                                      1.26
- security/gnupg2/patches/patch-CVE-2012-6085                   1.1

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Jan 15 11:21:50 UTC 2013

   Modified Files:
           pkgsrc/security/gnupg2: Makefile distinfo
   Added Files:
           pkgsrc/security/gnupg2/patches: patch-CVE-2012-6085

   Log Message:
   add patch from upstream to fix possible keyring corruption
   on import of corrupted keys (CVE-2012-6085), bump PKGREV
   from "Bug Hunting" per PR pkg/47442
@
text
@a0 43
$NetBSD$

upstream rev. 498882296ffac7987c644aaf2a0aa108a2925471

--- g10/import.c.orig	2012-03-27 08:00:37.000000000 +0000
+++ g10/import.c
@@@@ -347,6 +347,27 @@@@ import_print_stats (void *hd)
 }
 
 
+/* Return true if PKTTYPE is valid in a keyblock.  */
+static int
+valid_keyblock_packet (int pkttype)
+{
+  switch (pkttype)
+    {
+    case PKT_PUBLIC_KEY:
+    case PKT_PUBLIC_SUBKEY:
+    case PKT_SECRET_KEY:
+    case PKT_SECRET_SUBKEY:
+    case PKT_SIGNATURE:
+    case PKT_USER_ID:
+    case PKT_ATTRIBUTE:
+    case PKT_RING_TRUST:
+      return 1;
+    default:
+      return 0;
+    }
+}
+
+
 /****************
  * Read the next keyblock from stream A.
  * PENDING_PKT should be initialzed to NULL
@@@@ -424,7 +445,7 @@@@ read_block( IOBUF a, PACKET **pending_pk
 	    }
 	    in_cert = 1;
 	  default:
-	    if( in_cert ) {
+	    if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
 		if( !root )
 		    root = new_kbnode( pkt );
 		else
@