From owner-svn-ports-head@freebsd.org Fri Sep 4 02:12:39 2020 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A4F9C3D2D70; Fri, 4 Sep 2020 02:12:39 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BjLmR3sCtz4N3k; Fri, 4 Sep 2020 02:12:39 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 67C0E25884; Fri, 4 Sep 2020 02:12:39 +0000 (UTC) (envelope-from adamw@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0842CdKf098632; Fri, 4 Sep 2020 02:12:39 GMT (envelope-from adamw@FreeBSD.org) Received: (from adamw@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0842CdPl098631; Fri, 4 Sep 2020 02:12:39 GMT (envelope-from adamw@FreeBSD.org) Message-Id: <202009040212.0842CdPl098631@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: adamw set sender to adamw@FreeBSD.org using -f From: Adam Weinberger Date: Fri, 4 Sep 2020 02:12:39 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r547499 - head/security/gnupg X-SVN-Group: ports-head X-SVN-Commit-Author: adamw X-SVN-Commit-Paths: head/security/gnupg X-SVN-Commit-Revision: 547499 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Sep 2020 02:12:39 -0000 Author: adamw Date: Fri Sep 4 02:12:38 2020 New Revision: 547499 URL: https://svnweb.freebsd.org/changeset/ports/547499 Log: security/gnupg: Update to 2.2.23 Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04. Software distribution verification should not be affected by this bug because such a system uses a curated list of keys. MFH: 2020Q3 Security: CVE-2020-25125 Modified: head/security/gnupg/Makefile head/security/gnupg/distinfo Modified: head/security/gnupg/Makefile ============================================================================== --- head/security/gnupg/Makefile Fri Sep 4 02:06:26 2020 (r547498) +++ head/security/gnupg/Makefile Fri Sep 4 02:12:38 2020 (r547499) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= gnupg -PORTVERSION= 2.2.22 +PORTVERSION= 2.2.23 CATEGORIES= security MASTER_SITES= GNUPG @@ -31,6 +31,7 @@ CONFIGURE_ARGS= --disable-ntbtls --enable-gpg-is-gpg2 GNU_CONFIGURE= yes INFO= gnupg TEST_TARGET= check +TEST_ARGS= TESTARGS=--parallel SUB_FILES= pkg-message Modified: head/security/gnupg/distinfo ============================================================================== --- head/security/gnupg/distinfo Fri Sep 4 02:06:26 2020 (r547498) +++ head/security/gnupg/distinfo Fri Sep 4 02:12:38 2020 (r547499) @@ -1,3 +1,3 @@ -TIMESTAMP = 1598556721 -SHA256 (gnupg-2.2.22.tar.bz2) = 7c1370565e1910b9d8c4e0fb57b9de34aa062ec7bb91abad5803d791f38d855b -SIZE (gnupg-2.2.22.tar.bz2) = 7098444 +TIMESTAMP = 1599184354 +SHA256 (gnupg-2.2.23.tar.bz2) = 10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c +SIZE (gnupg-2.2.23.tar.bz2) = 7099806