Date: Fri, 4 Sep 2020 02:20:42 +0000 (UTC) From: Adam Weinberger <adamw@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r547501 - in branches/2020Q3/security/gnupg: . files Message-ID: <202009040220.0842KgSb099527@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: adamw Date: Fri Sep 4 02:20:42 2020 New Revision: 547501 URL: https://svnweb.freebsd.org/changeset/ports/547501 Log: MFH: r541749 r546681 r547499 Approved by: portmgr (with hat) gnupg: Update to 2.2.21 * gpg: Improve symmetric decryption speed by about 25%. See commit 144b95cc9d. * gpg: Support decryption of AEAD encrypted data packets. * gpg: Add option --no-include-key-block. [#4856] * gpg: Allow for extra padding in ECDH. [#4908] * gpg: Only a single pinentry is shown for symmetric encryption if the pinentry supports this. [#4971] * gpg: Print a note if no keys are given to --delete-key. [#4959] * gpg,gpgsm: The ridiculous passphrase quality bar is not anymore shown. [#2103] * gpgsm: Certificates without a CRL distribution point are now considered valid without looking up a CRL. The new option --enable-issuer-based-crl-check can be used to revert to the former behaviour. * gpgsm: Support rsaPSS signature verification. [#4538] * gpgsm: Unless CRL checking is disabled lookup a missing issuer certificate using the certificate's authorityInfoAccess. [#4898] * gpgsm: Print the certificate's serial number also in decimal notation. * gpgsm: Fix possible NULL-deref in messages of --gen-key. [#4895] * scd: Support the CardOS 5 based D-Trust Card 3.1. * dirmngr: Allow http URLs with "LOOKUP --url". * wkd: Take name of sendmail from configure. Fixes an OpenBSD specific bug. [#4886] Release-info: https://dev.gnupg.org/T4897 security/gnupg: Update to 2.2.22 Also, sort plist. The new gpgsplit binary is getting installed as gpgsplit2 to avoid a conflict with security/gnupg1. Noteworthy changes in version 2.2.22 ==================================== * gpg: Change the default key algorithm to rsa3072. * gpg: Add regular expression support for Trust Signatures on all platforms. [#4843] * gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat option. [#4991] * gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021] * gpgsm: Make rsaPSS a de-vs compliant scheme. * gpgsm: Show also the SHA256 fingerprint in key listings. * gpgsm: Do not require a default keyring for --gpgconf-list. [#4867] * gpg-agent: Default to extended key format and record the creation time of keys. Add new option --disable-extended-key-format. * gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016] * gpg-agent: Allow using --gpgconf-list even if HOME does not exist. [#4866] * gpg-agent: Make the Pinentry work even if the envvar TERM is set to the empty string. [#4137] * scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly incremented the error counter when using the "verify" command of "gpg --edit-key" with only the signature key being present. * dirmngr: Better handle systems with disabled IPv6. [#4977] * gpgpslit: Install tool. It was not installed in the past to avoid conflicts with the version installed by GnuPG 1.4. [#5023] (We're installing it as gpgsplit2 to avoid conflict with security/gnupg1) * gpgtar: Handle Unicode file names on Windows correctly (requires libgpg-error 1.39). [#4083] * gpgtar: Make --files-from and --null work as documented. [#5027] * Build the Windows installer with the new Ntbtls 0.2.0 so that TLS connections succeed for servers demanding GCM. Release-info: https://dev.gnupg.org/T5030 security/gnupg: Update to 2.2.23 Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04. Software distribution verification should not be affected by this bug because such a system uses a curated list of keys. Security: CVE-2020-25125 Added: branches/2020Q3/security/gnupg/files/patch-doc_Makefile.in - copied unchanged from r541749, head/security/gnupg/files/patch-doc_Makefile.in Modified: branches/2020Q3/security/gnupg/Makefile branches/2020Q3/security/gnupg/distinfo branches/2020Q3/security/gnupg/pkg-plist Directory Properties: branches/2020Q3/ (props changed) Modified: branches/2020Q3/security/gnupg/Makefile ============================================================================== --- branches/2020Q3/security/gnupg/Makefile Fri Sep 4 02:13:17 2020 (r547500) +++ branches/2020Q3/security/gnupg/Makefile Fri Sep 4 02:20:42 2020 (r547501) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= gnupg -PORTVERSION= 2.2.20 +PORTVERSION= 2.2.23 CATEGORIES= security MASTER_SITES= GNUPG @@ -31,6 +31,7 @@ CONFIGURE_ARGS= --disable-ntbtls --enable-gpg-is-gpg2 GNU_CONFIGURE= yes INFO= gnupg TEST_TARGET= check +TEST_ARGS= TESTARGS=--parallel SUB_FILES= pkg-message @@ -66,6 +67,7 @@ pre-build: @${TOUCH} ${WRKSRC}/doc/*.texi post-install: - @${MV} ${STAGEDIR}${DATADIR}/help*.txt ${STAGEDIR}${DOCSDIR} + ${MV} ${STAGEDIR}${PREFIX}/bin/gpgsplit ${STAGEDIR}${PREFIX}/bin/gpgsplit2 + ${MV} ${STAGEDIR}${DATADIR}/help*.txt ${STAGEDIR}${DOCSDIR} .include <bsd.port.mk> Modified: branches/2020Q3/security/gnupg/distinfo ============================================================================== --- branches/2020Q3/security/gnupg/distinfo Fri Sep 4 02:13:17 2020 (r547500) +++ branches/2020Q3/security/gnupg/distinfo Fri Sep 4 02:20:42 2020 (r547501) @@ -1,3 +1,3 @@ -TIMESTAMP = 1584729314 -SHA256 (gnupg-2.2.20.tar.bz2) = 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 -SIZE (gnupg-2.2.20.tar.bz2) = 6786913 +TIMESTAMP = 1599184354 +SHA256 (gnupg-2.2.23.tar.bz2) = 10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c +SIZE (gnupg-2.2.23.tar.bz2) = 7099806 Copied: branches/2020Q3/security/gnupg/files/patch-doc_Makefile.in (from r541749, head/security/gnupg/files/patch-doc_Makefile.in) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2020Q3/security/gnupg/files/patch-doc_Makefile.in Fri Sep 4 02:20:42 2020 (r547501, copy of r541749, head/security/gnupg/files/patch-doc_Makefile.in) @@ -0,0 +1,16 @@ +This works around a breakage introduced in 2.2.21. +Hopefully the patch can be removed for 2.2.22. + +--- doc/Makefile.in.orig 2020-07-09 13:22:35 UTC ++++ doc/Makefile.in +@@ -1235,8 +1235,8 @@ defsincdate: $(gnupg_TEXINFOS) + if test -e $(top_srcdir)/.git; then \ + (cd $(srcdir) && git log -1 --format='%ct' \ + -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ +- elif test x"$SOURCE_DATE_EPOCH" != x; then \ +- echo "$SOURCE_DATE_EPOCH" >>defsincdate ; \ ++ elif test x"$$SOURCE_DATE_EPOCH" != x; then \ ++ echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \ + fi + + defs.inc : defsincdate Makefile mkdefsinc Modified: branches/2020Q3/security/gnupg/pkg-plist ============================================================================== --- branches/2020Q3/security/gnupg/pkg-plist Fri Sep 4 02:13:17 2020 (r547500) +++ branches/2020Q3/security/gnupg/pkg-plist Fri Sep 4 02:20:42 2020 (r547501) @@ -1,17 +1,18 @@ bin/dirmngr bin/dirmngr-client -bin/gpg-connect-agent bin/gpg-agent -bin/gpgscm -bin/gpgsm -bin/gpgtar +bin/gpg-connect-agent %%WKS_SERVER%%bin/gpg-wks-server -bin/kbxutil %%SUID_GPG%%@(,,4555) bin/gpg2 %%NO_SUID_GPG%%bin/gpg2 bin/gpgconf bin/gpgparsemail +bin/gpgscm +bin/gpgsm +bin/gpgsplit2 +bin/gpgtar bin/gpgv2 +bin/kbxutil bin/symcryptrun bin/watchgnupg %%LDAP%%libexec/dirmngr_ldap
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009040220.0842KgSb099527>