Maintenance update and fix for CVE-2017-7526
authorAndre Heinecke <aheinecke@intevation.de>
Thu, 6 Jul 2017 08:22:40 +0000 (10:22 +0200)
committerAndre Heinecke <aheinecke@intevation.de>
Thu, 6 Jul 2017 08:22:40 +0000 (10:22 +0200)
* packages/packages.current (libgcrypt): Update to 1.7.8.
(gpa): Update to 0.9.10
(libpng, curl, gnutls, gettext, libiconv, zlib): Update.
* NEWS: Mention changes.
* Makefile.am (EXTRA_DIST): Update accordingly.
* patches/gnutls-2.12.23: Move to gnutls-2.1.24
* patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch:
New.

--
This is in preperation for a 2.3.4 release, mainly to include
the newest libgcrypt. It is likely that not all gnutls patches
will apply. This will be fixed in a second commit.

14 files changed:
Makefile.am
NEWS
packages/packages.current
patches/gnutls-2.12.24/01-openssl-wincrypt.patch [moved from patches/gnutls-2.12.23/01-openssl-wincrypt.patch with 100% similarity]
patches/gnutls-2.12.24/02-cve-2013-2116.patch [moved from patches/gnutls-2.12.23/02-cve-2013-2116.patch with 100% similarity]
patches/gnutls-2.12.24/03-cve-2014-1959.patch [moved from patches/gnutls-2.12.23/03-cve-2014-1959.patch with 100% similarity]
patches/gnutls-2.12.24/04-cve-2014-0092.patch [moved from patches/gnutls-2.12.23/04-cve-2014-0092.patch with 100% similarity]
patches/gnutls-2.12.24/05-cve-2014-3466.patch [moved from patches/gnutls-2.12.23/05-cve-2014-3466.patch with 100% similarity]
patches/gnutls-2.12.24/06-cve-2015-0282.patch [moved from patches/gnutls-2.12.23/06-cve-2015-0282.patch with 100% similarity]
patches/gnutls-2.12.24/07-cve-2015-0294.patch [moved from patches/gnutls-2.12.23/07-cve-2015-0294.patch with 100% similarity]
patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch [moved from patches/gnutls-2.12.23/25_updatedgdocfrommaster.patch with 100% similarity]
patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch [moved from patches/gnutls-2.12.23/fix-gcrypt-private-api-usage.patch with 100% similarity]
patches/gnutls-2.12.24/gnulib-mingw-w64-fix.patch [moved from patches/gnutls-2.12.23/gnulib-mingw-w64-fix.patch with 100% similarity]
patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch [new file with mode: 0755]

index e305b44..7482a24 100644 (file)
@@ -36,16 +36,16 @@ EXTRA_DIST = autogen.sh README.GIT ONEWS \
         patches/gnupg2/0006-gpgsm-Add-command-option-offline.patch \
         patches/gnupg2/01-version.patch \
         patches/gnupg2/01-version.patch.in \
-        patches/gnutls-2.12.23/01-openssl-wincrypt.patch \
-        patches/gnutls-2.12.23/02-cve-2013-2116.patch \
-        patches/gnutls-2.12.23/03-cve-2014-1959.patch \
-        patches/gnutls-2.12.23/04-cve-2014-0092.patch \
-        patches/gnutls-2.12.23/05-cve-2014-3466.patch \
-        patches/gnutls-2.12.23/06-cve-2015-0282.patch \
-        patches/gnutls-2.12.23/07-cve-2015-0294.patch \
-        patches/gnutls-2.12.23/fix-gcrypt-private-api-usage.patch \
-        patches/gnutls-2.12.23/gnulib-mingw-w64-fix.patch \
-        patches/gnutls-2.12.23/25_updatedgdocfrommaster.patch \
+        patches/gnutls-2.12.24/01-openssl-wincrypt.patch \
+        patches/gnutls-2.12.24/02-cve-2013-2116.patch \
+        patches/gnutls-2.12.24/03-cve-2014-1959.patch \
+        patches/gnutls-2.12.24/04-cve-2014-0092.patch \
+        patches/gnutls-2.12.24/05-cve-2014-3466.patch \
+        patches/gnutls-2.12.24/06-cve-2015-0282.patch \
+        patches/gnutls-2.12.24/07-cve-2015-0294.patch \
+        patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch \
+        patches/gnutls-2.12.24/gnulib-mingw-w64-fix.patch \
+        patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch \
         patches/libtasn1-2.14/gnulib-mingw-w64-fix.patch \
         patches/w32pth-2.0.5/workaround-broken-libtool.patch \
         patches/scute-1.4.0/workaround-broken-libtool.patch \
@@ -55,7 +55,8 @@ EXTRA_DIST = autogen.sh README.GIT ONEWS \
         patches/gpgol-1.4.0/0001-Fix-UI-Server-startup.patch \
         patches/gpgol-1.4.0/0002-Ignore-sent-S-MIME-Mails-if-S-MIME-is-disabled.patch \
         patches/gpgol-1.4.0/0003-Fix-loop-logic-error-in-new-server-name-detection.patch \
-        patches/libgpg-error-1.23/0001-Define-EWOULDBLOCK-in-case-it-is-not-defined.patch
+        patches/libgpg-error-1.23/0001-Define-EWOULDBLOCK-in-case-it-is-not-defined.patch \
+        patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch
 
 copy-news:
        cp NEWS doc/website/NEWS.last
diff --git a/NEWS b/NEWS
index c28d33b..2859e44 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,11 +5,31 @@
 
 Noteworthy changes in version 2.3.4 (unreleased)
 ------------------------------------------------
+(en) The cryptography library libgcrypt has been updated to version
+     1.7.8 to include a fix for a side channel attack.
+     [CVE-2017-7526] Details:
+     https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
+
+(de) Die Kryptographie Bibliothek libgcrypt wurde auf Version 1.7.8
+     aktualisiert um einen möglichen Seitenkanalangriff zu beheben.
+     [CVE-2017-7526] Details (englisch):
+     https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
+
+(en) Support libraries have been updated.
+
+(de) Verwendete Software Bibliotheken wurden aktualisiert.
+
+(en) GPA was updated to 0.9.10. This includes a fix for file handling
+     with filenames containing special characters.
+
+(de) GPA wurde auf die Version 0.9.10 aktualisiert. Dies beinhaltet
+     eine Fehlerkorrektur für den Umgang mit Dateinamen die besondere
+     Zeichen enthalten.
 
 ~~~~~~~~~~~~~~~
 GnuPG:          2.0.30
 Kleopatra:      2.2.0-gitfb4ae3d
-GPA:            0.9.9
+GPA:            0.9.10
 GpgOL:          1.4.0
 GpgEX:          1.0.4
 Kompendium DE:  3.0.0
index 3757724..9a54b97 100644 (file)
 #
 server http://zlib.net
 
-# checked: 2014-06-20 ah
-file zlib-1.2.8.tar.gz
-chk  36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d
-
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 5ED4 6A67 21D3 6558 7791  E2AA 783F CD8E 58BC AFBA
+file zlib-1.2.11.tar.gz
+chk  c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1
 
 #
 # GNU TLS and support libraries
@@ -28,13 +29,17 @@ chk  36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d
 
 server ftp://ftp.gnu.org/pub/gnu
 
-#checked: 2016-04-05 jochen
-file libiconv/libiconv-1.14.tar.gz
-chk  72b24ded17d687193c3366d0ebe7cde1e6b18f0df8c55438ac95be39e8a30613
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 68D9 4D8A AEEA D48A E7DC  5B90 4F49 4A94 2E46 16C2
+file libiconv/libiconv-1.15.tar.gz
+chk  ccf536620a45458d26ba83887a983b96827001e92a13847b45e4925cc8913178
 
-#checked: 2016-04-05 jochen
-file gettext/gettext-0.19.5.tar.xz
-chk  3410a61c5c05d0392533c92133e135de828973fee27477a6d6dd3d3e36f2a2dd
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 4622 25C3 B46F 3487 9FC8  496C D605 848E D7E6 9871
+file gettext/gettext-0.19.8.tar.xz
+chk  9c1781328238caa1685d7bc7a2e1dcf1c6c134e86b42ed554066734b621bd12f
 
 # checked: 2014-06-20 ah
 file gsasl/libgsasl-1.8.0.tar.gz
@@ -46,10 +51,11 @@ chk  bc2936cd20267859278145e563427c274d27aaae30ecdf50a04cdd4ec0153d54
 
 
 server ftp://ftp.gnutls.org/gcrypt
-# checked: 2016-07-04 ah
-# verified with key 1F42 4189 05D8 206A A754  CCDC 29EE 58B9 9686 5171
-file gnutls/v2.12/gnutls-2.12.23.tar.bz2
-chk dfa67a7e40727eb0913e75f3c44911d5d8cd58d1ead5acfe73dd933fc0d17ed2
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 1F42 4189 05D8 206A A754  CCDC 29EE 58B9 9686 5171
+file gnutls/v2.12/gnutls-2.12.24.tar.xz
+chk 792e127c97e5b72bacbbdad16ba7532dc7d81a6197087a574549f473c1627ce7
 
 
 #
@@ -58,10 +64,11 @@ chk dfa67a7e40727eb0913e75f3c44911d5d8cd58d1ead5acfe73dd933fc0d17ed2
 
 server http://curl.haxx.se/download
 
-# checked: 2015-08-17 ah - updated
-# verified with key 27ED EAF2 2F3A BCEB 50DB  9A12 5CC9 08FD B71E 12C2
-file  curl-7.50.1.tar.gz
-chk   3e392cf600822b817be82d9080b377fcbab70538d5a8bf525a1cd66e157b99ea
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 27ED EAF2 2F3A BCEB 50DB  9A12 5CC9 08FD B71E 12C2
+file  curl-7.54.1.tar.bz2
+chk fdfc4df2d001ee0c44ec071186e770046249263c491fcae48df0e1a3ca8f25a0
 
 #
 # GLIB
@@ -234,12 +241,12 @@ chk  677d6055494e24cad6c49eab33eee618ddc6ed65da827c8b5b7da761b4063278
 
 # PNG
 
-# last changed: 2015-11-13
+# last changed: 2016-07-06
 # by: ah
 # verified: Sig 8048 643B A2C8 40F4 F92A  195F F549 84BF A16C 640F
 server ftp://ftp.simplesystems.org/pub/png/src/
-file libpng14/libpng-1.4.19.tar.xz
-chk  52b830ea8900fad3ed46fc91021355211f418c8a41c39699600dbf1db2bbf7ff
+file libpng14/libpng-1.4.20.tar.xz
+chk  f425d0b218fe025616a751c5c0051481fbbeac32d06c79a265e9bd5aef470275
 
 #
 # LibFFI
@@ -308,10 +315,10 @@ server ftp://ftp.gnupg.org/gcrypt
 file libgpg-error/libgpg-error-1.23.tar.bz2
 chk  7f0c7f65b98c4048f649bfeebfa4d4c1559707492962504592b985634c939eaa
 
-# last changed: 2016-08-17
+# last changed: 2017-07-06
 # by: ah
-file libgcrypt/libgcrypt-1.6.6.tar.bz2
-chk  f9461b4619bb78b273a88d468915750d418e89a3ea3b641bab0563a9af4b04d0
+file libgcrypt/libgcrypt-1.7.8.tar.bz2
+chk  948276ea47e6ba0244f36a17b51dcdd52cfd1e664b0a1ac3bc82134fb6cec199
 
 # last-changed: 2016-07-04
 # by: ah
@@ -348,10 +355,10 @@ chk  bd698a853375324c4ff590899c1994be83d8d0a1400fcaf489529646965fb745
 file gpgme/gpgme-1.6.0.tar.bz2
 chk  b09de4197ac280b102080e09eaec6211d081efff1963bf7821cf8f4f9916099d
 
-# last changed: 2015-09-09
+# last changed: 2017-07-06
 # by: ah
-file gpa/gpa-0.9.9.tar.bz2
-chk  6828d738b9e1d3cce96d2ec9831c09873c4cb2c87ba67a161ef54485192c4334
+file gpa/gpa-0.9.10.tar.bz2
+chk  c3b9cc36fd9916e83524930f99df13b1d5f601f4c0168cb9f5d81422e282b727
 
 # (Snapshots)
 # server ftp://ftp.g10code.com/g10code/scratch
diff --git a/patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch b/patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch
new file mode 100755 (executable)
index 0000000..9984bf4
--- /dev/null
@@ -0,0 +1,61 @@
+#! /bin/sh
+patch -p1 -l -f $* < $0
+exit $?
+
+From ee3ec98dba5a8c98e9ca9737da633d0767d54214 Mon Sep 17 00:00:00 2001
+From: Andre Heinecke <aheinecke@intevation.de>
+Date: Sun, 14 May 2017 14:39:57 +0200
+Subject: [PATCH] Fix crash on filename conversion error
+
+* src/fileman.c (add_file): Handle conversion errors.
+
+--
+If g_filename_to_utf8 fails we now fall back to g_locale_to_utf8.
+If this still does not work we fall back to g_filename_display_name
+which replaces unconvertibale strings by question marks or unicode
+markup.
+Previously NULL pointer would be inserted as filenames, leading
+to crashes later on.
+
+This is especially important for windows where D&D files came
+in System encoding as well as "Double clicked" or "Open With" files.
+On windows filename_to_utf8 always assumes that the input is already
+UTF-8, because it's stupid. (or because the GTK File Dialog returns
+UTF-8 filenames) so the fallback to locale is especially important
+here.
+
+GnuPG-Bug-ID: T2185
+---
+ src/fileman.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/fileman.c b/src/fileman.c
+index 10824d4..cb0b67f 100644
+--- a/src/fileman.c
++++ b/src/fileman.c
+@@ -217,7 +217,22 @@ add_file (GpaFileManager *fileman, const gchar *filename)
+   gchar *filename_utf8;
+
+   /* The tree contains filenames in the UTF-8 encoding.  */
+-  filename_utf8 = g_filename_to_utf8 (filename, -1, NULL, NULL, NULL),
++  filename_utf8 = g_filename_to_utf8 (filename, -1, NULL, NULL, NULL);
++
++  /* Try to convert from the current locale as fallback. This is important
++     for windows where g_filename_to_utf8 does not take locale into account
++     because the filedialogs already convert to utf8. */
++  if (!filename_utf8)
++    {
++      filename_utf8 = g_locale_to_utf8 (filename, -1, NULL, NULL, NULL);
++    }
++
++  /* Last fallback is guranteed to never be NULL so in doubt we can still fail
++     later showing a filename that can't be found to the user etc.*/
++  if (!filename_utf8)
++    {
++      filename_utf8 = g_filename_display_name (filename);
++    }
+
+   store = GTK_LIST_STORE (gtk_tree_view_get_model
+                           (GTK_TREE_VIEW (fileman->list_files)));
+--
+2.11.0