update to v1.0.5. ok markus@.

2001-05-23 15:28:49 +00:00 · 2001-05-23 15:28:49 +00:00 · 436c5ffef5
commit 436c5ffef5
parent d19ed8bd90
8 changed files with 63 additions and 236 deletions
--- a/security/gnupg/Makefile
+++ b/security/gnupg/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.28 2001/04/17 20:53:04 reinhard Exp $
+# $OpenBSD: Makefile,v 1.29 2001/05/23 15:28:49 jakob Exp $
 COMMENT=	'GNU privacy guard - a free PGP replacement'
-DISTNAME=	gnupg-1.0.4
+DISTNAME=	gnupg-1.0.5
-PKGNAME=	${DISTNAME}p2
+PKGNAME=	${DISTNAME}
 CATEGORIES=	security
 NEED_VERSION=	1.363
 MASTER_SITES=	ftp://ftp.gnupg.org/pub/gcrypt/gnupg/ \
@ -18,8 +18,8 @@ MASTER_SITES=	ftp://ftp.gnupg.org/pub/gcrypt/gnupg/ \
 		ftp://ftp.net.lut.ac.uk/gcrypt/gnupg/ \
 		ftp://gd.tuwien.ac.at/privacy/gnupg/gnupg/
 MASTER_SITES0=	ftp://ftp.gnupg.org/pub/gcrypt/contrib/ 
-DISTFILES=	gnupg-1.0.4.tar.gz 
+DISTFILES=	${DISTNAME}${EXTRACT_SUFX}
-EXTRACT_ONLY=	gnupg-1.0.4.tar.gz 
+EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
 HOMEPAGE=	http://www.gnupg.org/
@ -43,9 +43,9 @@ PERMIT_DISTFILES_CDROM=	"a patented algorithm"
 PERMIT_DISTFILES_FTP=	"a patented algorithm"
 # NB: idea.c is found in ${MASTER_SITES0}
 DISTFILES+=	idea.c:0
 PATCH_LIST=	patch-*
 PATCH_LIST+=	${FILESDIR}/patch-cipher_Makefile_am 
 PATCH_LIST+=	${FILESDIR}/patch-cipher_Makefile_in
 SED_PLIST+=	-e 's,^!%%idea%%,lib/gnupg/idea,'
 pre-patch:
 	@cp ${DISTDIR}/idea.c ${WRKSRC}/cipher
 .endif
--- a/security/gnupg/files/md5
+++ b/security/gnupg/files/md5
@ -1,6 +1,6 @@
-MD5 (gnupg-1.0.4.tar.gz) = bef2267bfe9b74a00906a78db34437f9
+MD5 (gnupg-1.0.5.tar.gz) = 44c71c3f5a9edbf5738cafc37e8359e6
 RMD160 (gnupg-1.0.4.tar.gz) = 62fd2470c7eefb9e7c80d4e3337cce6547803157
 SHA1 (gnupg-1.0.4.tar.gz) = 7940d42ddf4e992152232b837e25f6b462622df5
 MD5 (idea.c) = 7d0557459e0a41da099ddbd837d4bd40
 RMD160 (gnupg-1.0.5.tar.gz) = aae6687dac926ee8d423e6d82e86bf27f263175c
 RMD160 (idea.c) = 86ac117facd1fe498a6b964bce9ba1ce6e2ab094
 SHA1 (gnupg-1.0.5.tar.gz) = e30358cae1e1f7aece84b6808b1366f12a1ff527
 SHA1 (idea.c) = 1cbae164674dfb9da624e088fe7d66d7c0d4f17e
--- a/security/gnupg/patches/patch-g10_misc.c
+++ b/security/gnupg/patches/patch-g10_misc.c
@ -1,39 +0,0 @@
 From: Werner Koch <wk@gnupg.org>
 To: gnupg-announce@gnupg.org
 Subject: [Announce] Minor gpg fix
 Message-ID: <20001018160137.O15768@gnupg.de>
 Hi,
 some folks asked what the message
  gpg: this cipher algorithm is depreciated; please use a more standard one!
 does mean.  Yes, gpg 1.0.4 should not emit this message.  I forgot
 to put the AES cipher algorithm into the list of "good" algorithms.
 Either ignore this message or apply the patch below.
  Werner
 Index: g10/misc.c
 ===================================================================
 RCS file: /home/koch/cvs/gnupg/g10/misc.c,v
 retrieving revision 1.16.2.4
 diff -u -r1.16.2.4 misc.c
 --- g10/misc.c	2000/10/13 15:03:48	1.16.2.4
 +++ g10/misc.c	2000/10/18 13:34:01
@@ -224,6 +224,9 @@
 	     || algo == CIPHER_ALGO_CAST5
 	     || algo == CIPHER_ALGO_BLOWFISH
 	     || algo == CIPHER_ALGO_TWOFISH
 +	     || algo == CIPHER_ALGO_RIJNDAEL
 +	     || algo == CIPHER_ALGO_RIJNDAEL192
 +	     || algo == CIPHER_ALGO_RIJNDAEL256
 	   )
 	;
     else {
--- a/security/gnupg/patches/patch-g10_openfile.c
+++ b/security/gnupg/patches/patch-g10_openfile.c
@ -1,82 +0,0 @@
 From ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.security-patch1.diff
 Hi!
 It has been pointed out that there is another bug in the signature
 verification code of GnuPG.
         * This can easily lead to false positives *
 All versions of GnuPG released before today are vulnerable!
 To check a detached singature you normally do this:
  gpg --verify foo.sig foo.txt
 The problem here is that someone may replace foo.sig with a standard
 signature containing some arbitrary signed text and its signature,
 and then modify foo.txt - GnuPG does not detect this - Ooops.
 The solution for this problem ist not easy and needs a change in the
 semantics of the --verify command: It will not any longer be
 possible to do this:
  gpg --verify foo.sig <foo.txt
 Instead you have to use this
  gpg --verify foo.sig - <foo.txt
 The difference here is that gpg sees 2 files on the command lines
 and thereby knows that it should check a detached signature.  We
 really need this information and there is no way to avoid that
 change, sorry.  You should make sure that you never use the first
 form, because this will lead to false positives when foo.sig is not
 a detached signature - gnupg does detect the other case and warns
 you, but this is not sufficient.  If you use GnuPG from other
 applications, please change it.
 What to do:
  1. Apply the attached patch to GnuPG 1.0.4
  2. Check all programs which are designed to verify detached
     signatures, that they don't use the vulnerable way of passing
     data to GnuPG.
 Currently we are reviewing some other minor bug fixes and
 it might take some time to release a fixed version.
 I apologize for this bug and have to thank Rene Puls for finding it.
  Werner
 p.s.
 I'd really appreciate if some volunteers can write more regression
 tests; especially those for bugs of this kind.
 Apply the patch using "patch -p1" while in the top directory of the
 GnuPG source.  The patch is against the 1.0.4 release.
 --- g10/openfile.c.orig	Tue Sep  5 17:31:57 2000
 +++ g10/openfile.c	Sat Dec 23 14:56:19 2000
@@ -257,7 +257,7 @@ open_sigfile( const char *iname )
 	    buf = m_strdup(iname);
 	    buf[len-4] = 0 ;
 	    a = iobuf_open( buf );
 -	    if( opt.verbose )
 +	    if( a && opt.verbose )
 		log_info(_("assuming signed data in `%s'\n"), buf );
 	    m_free(buf);
 	}
@@ -329,7 +329,7 @@ try_make_homedir( const char *fname )
     if ( ( *defhome == '~'
            && ( strlen(fname) >= strlen (defhome+1)
 -                && !strcmp(fname+strlen(defhome+1)-strlen(defhome+1),
 +                && !strcmp(fname+strlen(fname)-strlen(defhome+1),
                            defhome+1 ) ))
          || ( *defhome != '~'
               && !compare_filenames( fname, defhome ) )
--- a/security/gnupg/patches/patch-g10_plaintext.c
+++ b/security/gnupg/patches/patch-g10_plaintext.c
@ -1,104 +0,0 @@
 From ftp://ftp.gnupg.org/pub/gcrypt/gnupg/gnupg-1.0.4.security-patch1.diff
 Hi!
 It has been pointed out that there is another bug in the signature
 verification code of GnuPG.
         * This can easily lead to false positives *
 All versions of GnuPG released before today are vulnerable!
 To check a detached singature you normally do this:
  gpg --verify foo.sig foo.txt
 The problem here is that someone may replace foo.sig with a standard
 signature containing some arbitrary signed text and its signature,
 and then modify foo.txt - GnuPG does not detect this - Ooops.
 The solution for this problem ist not easy and needs a change in the
 semantics of the --verify command: It will not any longer be
 possible to do this:
  gpg --verify foo.sig <foo.txt
 Instead you have to use this
  gpg --verify foo.sig - <foo.txt
 The difference here is that gpg sees 2 files on the command lines
 and thereby knows that it should check a detached signature.  We
 really need this information and there is no way to avoid that
 change, sorry.  You should make sure that you never use the first
 form, because this will lead to false positives when foo.sig is not
 a detached signature - gnupg does detect the other case and warns
 you, but this is not sufficient.  If you use GnuPG from other
 applications, please change it.
 What to do:
  1. Apply the attached patch to GnuPG 1.0.4
  2. Check all programs which are designed to verify detached
     signatures, that they don't use the vulnerable way of passing
     data to GnuPG.
 Currently we are reviewing some other minor bug fixes and
 it might take some time to release a fixed version.
 I apologize for this bug and have to thank Rene Puls for finding it.
  Werner
 p.s.
 I'd really appreciate if some volunteers can write more regression
 tests; especially those for bugs of this kind.
 Apply the patch using "patch -p1" while in the top directory of the
 GnuPG source.  The patch is against the 1.0.4 release.
 --- g10/plaintext.c.orig	Wed Jul 26 11:21:58 2000
 +++ g10/plaintext.c	Sat Dec 23 14:51:54 2000
@@ -370,7 +370,7 @@ hash_datafiles( MD_HANDLE md, MD_HANDLE 
 		const char *sigfilename, int textmode )
 {
     IOBUF fp;
 -    STRLIST sl=NULL;
 +    STRLIST sl;
     if( !files ) {
 	/* check whether we can open the signed material */
@@ -380,27 +380,21 @@ hash_datafiles( MD_HANDLE md, MD_HANDLE 
 	    iobuf_close(fp);
 	    return 0;
 	}
 -	/* no we can't (no sigfile) - read signed stuff from stdin */
 -	add_to_strlist( &sl, "-");
 +	log_error (_("no signed data\n"));
 +	return G10ERR_OPEN_FILE;
     }
 -    else
 -	sl = files;
 -    for( ; sl; sl = sl->next ) {
 +    for (sl=files; sl; sl = sl->next ) {
 	fp = iobuf_open( sl->d );
 	if( !fp ) {
 	    log_error(_("can't open signed data `%s'\n"),
 						print_fname_stdin(sl->d));
 -	    if( !files )
 -		free_strlist(sl);
 	    return G10ERR_OPEN_FILE;
 	}
 	do_hash( md, md2, fp, textmode );
 	iobuf_close(fp);
     }
 -    if( !files )
 -	free_strlist(sl);
     return 0;
 }
--- a/security/gnupg/patches/patch-po_Makefile.in.in
+++ b/security/gnupg/patches/patch-po_Makefile.in.in
@ -0,0 +1,34 @@
 $OpenBSD: patch-po_Makefile.in.in,v 1.1 2001/05/23 15:28:50 jakob Exp $
 --- po/Makefile.in.in.orig	Wed May 23 16:15:53 2001
 +++ po/Makefile.in.in	Wed May 23 16:20:20 2001
@@ -24,6 +24,8 @@ gnulocaledir = $(prefix)/share/locale
 gettextsrcdir = $(prefix)/share/gettext/po
 subdir = po
 +DESTDIR =
 +
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 MKINSTALLDIRS = $(top_srcdir)/@MKINSTALLDIRS@
@@ -111,16 +113,16 @@ install-data: install-data-@USE_NLS@
 install-data-no: all
 install-data-yes: all
 	if test -r "$(MKINSTALLDIRS)"; then \
 -	  $(MKINSTALLDIRS) $(datadir); \
 +	  $(MKINSTALLDIRS) $(DESTDIR)$(datadir); \
 	else \
 -	  $(SHELL) $(top_srcdir)/mkinstalldirs $(datadir); \
 +	  $(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(datadir); \
 	fi
 	@catalogs='$(CATALOGS)'; \
 	for cat in $$catalogs; do \
 	  cat=`basename $$cat`; \
 	  case "$$cat" in \
 -	    *.gmo) destdir=$(gnulocaledir);; \
 -	    *)     destdir=$(localedir);; \
 +	    *.gmo) destdir=$(DESTDIR)$(gnulocaledir);; \
 +	    *)     destdir=$(DESTDIR)$(localedir);; \
 	  esac; \
 	  lang=`echo $$cat | sed 's/\$(CATOBJEXT)$$//'`; \
 	  dir=$$destdir/$$lang/LC_MESSAGES; \
--- a/security/gnupg/pkg/PFRAG.idea
+++ b/security/gnupg/pkg/PFRAG.idea
@ -0,0 +1,2 @@
@comment $OpenBSD: PFRAG.idea,v 1.1 2001/05/23 15:28:50 jakob Exp $
 lib/gnupg/idea
--- a/security/gnupg/pkg/PLIST
+++ b/security/gnupg/pkg/PLIST
@ -1,10 +1,10 @@
-@comment $OpenBSD: PLIST,v 1.8 2001/03/03 17:17:28 reinhard Exp $
+@comment $OpenBSD: PLIST,v 1.9 2001/05/23 15:28:50 jakob Exp $
 bin/gpg
 bin/gpgv
 lib/gnupg/rndunix
 lib/gnupg/rndegd
 lib/gnupg/tiger
-!%%idea%%
+%%idea%%
 man/man1/gpg.1
 man/man1/gpgv.1
 share/doc/gnupg/README
@ -19,6 +19,22 @@ share/doc/gnupg/OpenPGP
 share/doc/gnupg/HACKING
 share/doc/gnupg/faq.html
 share/gnupg/options.skel
 share/locale/da/LC_MESSAGES/gnupg.mo
 share/locale/de/LC_MESSAGES/gnupg.mo
 share/locale/eo/LC_MESSAGES/gnupg.mo
 share/locale/es_ES/LC_MESSAGES/gnupg.mo
 share/locale/et/LC_MESSAGES/gnupg.mo
 share/locale/fr/LC_MESSAGES/gnupg.mo
 share/locale/id/LC_MESSAGES/gnupg.mo
 share/locale/it/LC_MESSAGES/gnupg.mo
 share/locale/ja/LC_MESSAGES/gnupg.mo
 share/locale/nl/LC_MESSAGES/gnupg.mo
 share/locale/pl/LC_MESSAGES/gnupg.mo
 share/locale/pt_BR/LC_MESSAGES/gnupg.mo
 share/locale/pt_PT/LC_MESSAGES/gnupg.mo
 share/locale/ru/LC_MESSAGES/gnupg.mo
 share/locale/sv/LC_MESSAGES/gnupg.mo
 share/locale/tr/LC_MESSAGES/gnupg.mo
@dirrm lib/gnupg
@dirrm share/doc/gnupg
@dirrm share/gnupg
		`@ -0,0 +1,2 @@`
							`@comment $OpenBSD: PFRAG.idea,v 1.1 2001/05/23 15:28:50 jakob Exp $`
							`lib/gnupg/idea`