commit: 988fa70ca5731f8d4a1862d559603cbf13d569be Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Thu Jun 30 20:01:02 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Jun 30 20:01:08 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=988fa70c
app-crypt/gnupg: backport signature status message fix Bug: https://bugs.gentoo.org/855395 Signed-off-by: Sam James <sam <AT> gentoo.org> .../gnupg-2.2.35-status-messages-garbled.patch | 45 ++++++ .../gnupg-2.3.6-status-messages-garbled.patch | 45 ++++++ app-crypt/gnupg/gnupg-2.2.35-r1.ebuild | 160 ++++++++++++++++++++ app-crypt/gnupg/gnupg-2.3.6-r1.ebuild | 165 +++++++++++++++++++++ 4 files changed, 415 insertions(+) diff --git a/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch b/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch new file mode 100644 index 000000000000..23dbf00b1831 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch @@ -0,0 +1,45 @@ +https://bugs.gentoo.org/855395 +https://marc.info/?l=oss-security&m=165657063921408&w=2 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21 + +From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001 +From: Werner Koch <w...@gnupg.org> +Date: Tue, 14 Jun 2022 11:33:27 +0200 +Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA + +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one +-- + +Depending on the escaping and line wrapping the computed remaining +buffer length could be wrong. Fixed by always using a break to +terminate the escape detection loop. Might have happened for all +status lines which may wrap. + +GnuPG-bug-id: T6027 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch b/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch new file mode 100644 index 000000000000..4bac4fea0f0e --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch @@ -0,0 +1,45 @@ +https://bugs.gentoo.org/855395 +https://marc.info/?l=oss-security&m=165657063921408&w=2 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=34c649b3601383cd11dbc76221747ec16fd68e1b;hp=4dbef2addca8c76fb4953fd507bd800d2a19d3ec + +From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001 +From: Werner Koch <w...@gnupg.org> +Date: Tue, 14 Jun 2022 11:33:27 +0200 +Subject: [PATCH 1/1] g10: Fix garbled status messages in NOTATION_DATA + +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one +-- + +Depending on the escaping and line wrapping the computed remaining +buffer length could be wrong. Fixed by always using a break to +terminate the escape detection loop. Might have happened for all +status lines which may wrap. + +GnuPG-bug-id: T6027 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild b/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild new file mode 100644 index 000000000000..8590dbbe4f97 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild @@ -0,0 +1,160 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc +inherit flag-o-matic systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/"; +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=">=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.8.0:= + >=dev-libs/libgpg-error-1.29 + >=dev-libs/libksba-1.3.5 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + ssl? ( >=net-libs/gnutls-3.0:0= ) + tofu? ( >=dev-db/sqlite-3.7 )" + +RDEPEND="${DEPEND} + app-crypt/pinentry + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta )" + +BDEPEND="virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg )" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-status-messages-garbled.patch +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +src_configure() { + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls + --enable-gpg + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + + econf "${myconf[@]}" +} + +src_compile() { + default + + use doc && emake -C doc html +} + +src_test() { + # bug #638574 + use tofu && export TESTFLAGS=--parallel + + default +} + +src_install() { + default + + use tools && + dobin \ + tools/{convert-from-106,gpg-check-pattern} \ + tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +} diff --git a/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild b/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild new file mode 100644 index 000000000000..c2540e9010b7 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild @@ -0,0 +1,165 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc +inherit flag-o-matic systemd toolchain-funcs verify-sig + +MY_P="${P/_/-}" + +DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" +HOMEPAGE="https://gnupg.org/"; +SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server" +RESTRICT="!test? ( test )" +REQUIRED_USE="test? ( tofu )" + +# Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! +DEPEND=">=dev-libs/libassuan-2.5.0 + >=dev-libs/libgcrypt-1.9.1:= + >=dev-libs/libgpg-error-1.41 + >=dev-libs/libksba-1.3.4 + >=dev-libs/npth-1.2 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + ldap? ( net-nds/openldap:= ) + readline? ( sys-libs/readline:0= ) + smartcard? ( usb? ( virtual/libusb:1 ) ) + tofu? ( >=dev-db/sqlite-3.27 ) + tpm? ( >=app-crypt/tpm2-tss-2.4.0:= ) + ssl? ( >=net-libs/gnutls-3.0:0= ) +" + +RDEPEND="${DEPEND} + app-crypt/pinentry + nls? ( virtual/libintl ) + selinux? ( sec-policy/selinux-gpg ) + wks-server? ( virtual/mta )" + +BDEPEND="virtual/pkgconfig + doc? ( sys-apps/texinfo ) + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg )" + +DOCS=( + ChangeLog NEWS README THANKS TODO VERSION + doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER +) + +PATCHES=( + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-status-messages-garbled.patch +) + +src_prepare() { + default + + # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode, + # idea borrowed from libdbus, see + # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6 + # + # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl', + # which in turn requires discovery in Autoconf, something that upstream deeply resents. + sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \ + -i doc/examples/systemd-user/gpg-agent-ssh.socket || die +} + +src_configure() { + local myconf=( + $(use_enable bzip2) + $(use_enable nls) + $(use_enable smartcard scdaemon) + $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) + $(use_enable tofu) + $(use_enable tofu keyboxd) + $(use_enable tofu sqlite) + $(usex tpm '--with-tss=intel' '--disable-tpm2d') + $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') + $(use_enable wks-server wks-tools) + $(use_with ldap) + $(use_with readline) + --with-mailprog=/usr/libexec/sendmail + --disable-ntbtls + --enable-gpgsm + --enable-large-secmem + + CC_FOR_BUILD="$(tc-getBUILD_CC)" + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" + LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" + LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" + NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') + ) + + if use prefix && use usb; then + # bug #649598 + append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0" + fi + + # bug #663142 + if use user-socket; then + myconf+=( --enable-run-gnupg-user-socket ) + fi + + # glib fails and picks up clang's internal stdint.h causing weird errors + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h + + # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. + # As of GnuPG 2.3, the mailprog substitution is used for the binary called + # by wks-client & wks-server; and if it's autodetected but not not exist at + # build time, then then 'gpg-wks-client --send' functionality will not + # work. This has an unwanted side-effect in stage3 builds: there was a + # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating + # the build where the install guide previously make the user chose the + # logger & mta early in the install. + + econf "${myconf[@]}" +} + +src_compile() { + default + + use doc && emake -C doc html +} + +src_test() { + # bug #638574 + use tofu && export TESTFLAGS=--parallel + + default +} + +src_install() { + default + + use tools && + dobin \ + tools/{convert-from-106,gpg-check-pattern} \ + tools/{gpgconf,gpgsplit,lspgpot,mail-signed-keys} \ + tools/make-dns-cert + + dosym gpg /usr/bin/gpg2 + dosym gpgv /usr/bin/gpgv2 + echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die + echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die + + use doc && dodoc doc/gnupg.html/* doc/*.png + + systemd_douserunit doc/examples/systemd-user/*.{service,socket} +}
