File gpg2-CVE-2013-4351.patch of Package gpg2

Overview Repositories Revisions Requests Users Attributes Meta

File gpg2-CVE-2013-4351.patch of Package gpg2

commit 8f8f3984e82a025cf1384132a419f67f39c7e07d 
Author: Werner Koch <wk <at> gnupg.org>
Date:   Fri Mar 15 15:46:03 2013 +0100

gpg: Distinguish between missing and cleared key flags.

* include/cipher.h (PUBKEY_USAGE_NONE): New.
    * g10/getkey.c (parse_key_usage): Set new flag.
    --

We do not want to use the default capabilities (derived from the
    algorithm) if any key flags are given in a signature.  Thus if key
    flags are used in any way, the default key capabilities are never
    used.

This allows to create a key with key flags set to all zero so it can't
    be used.  This better reflects common sense.

Modified g10/getkey.c
Index: gnupg-2.0.9/g10/getkey.c
===================================================================
--- gnupg-2.0.9.orig/g10/getkey.c	2013-09-16 16:51:02.752624501 +0200
+++ gnupg-2.0.9/g10/getkey.c	2013-09-16 16:54:20.955952692 +0200
@@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig)
 
       if(flags)
 	key_usage |= PUBKEY_USAGE_UNKNOWN;
+
+      if (!key_usage)
+	key_usage |= PUBKEY_USAGE_NONE;
     }
+  else if (p) /* Key flags of length zero.  */
+    key_usage |= PUBKEY_USAGE_NONE;
 
   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
      capability that we do not handle.  This serves to distinguish
      between a zero key usage which we handle as the default
      capabilities for that algorithm, and a usage that we do not
-     handle. */
+     handle.  Likewise we use PUBKEY_USAGE_NONE to indicate that
+     key_flags have been given but they do not specify any usage.  */
 
   return key_usage;
 }
Index: gnupg-2.0.9/include/cipher.h
===================================================================
--- gnupg-2.0.9.orig/include/cipher.h	2013-09-16 16:51:02.752624501 +0200
+++ gnupg-2.0.9/include/cipher.h	2013-09-16 16:56:27.028429026 +0200
@@ -62,6 +62,11 @@
 #define PUBKEY_USAGE_CERT    GCRY_PK_USAGE_CERT  /* Also good to certify keys. */
 #define PUBKEY_USAGE_AUTH    GCRY_PK_USAGE_AUTH  /* Good for authentication. */
 #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN  /* Unknown usage flag. */
+#define PUBKEY_USAGE_NONE    256                 /* No usage given. */
+#if  (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \
+      | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256
+# error Please choose another value for PUBKEY_USAGE_NONE
+#endif
 
 #define DIGEST_ALGO_MD5       /*  1 */ GCRY_MD_MD5
 #define DIGEST_ALGO_SHA1      /*  2 */ GCRY_MD_SHA1

Places

File gpg2-CVE-2013-4351.patch of Package gpg2

Places