[update] security/gnupg 2.2.35
Published a few days ago, lightly tested on amd64. If people want to give it a try before I commit it, please report back. oks welcome. Index: Makefile === RCS file: /home/cvs/ports/security/gnupg/Makefile,v retrieving revision 1.125 diff -u -p -r1.125 Makefile --- Makefile21 Apr 2022 18:08:06 - 1.125 +++ Makefile27 Apr 2022 13:34:15 - @@ -1,7 +1,6 @@ COMMENT = GNU privacy guard - a free PGP replacement -DISTNAME = gnupg-2.2.34 -REVISION = 0 +DISTNAME = gnupg-2.2.35 CATEGORIES = security Index: distinfo === RCS file: /home/cvs/ports/security/gnupg/distinfo,v retrieving revision 1.36 diff -u -p -r1.36 distinfo --- distinfo29 Mar 2022 15:28:19 - 1.36 +++ distinfo27 Apr 2022 13:34:20 - @@ -1,2 +1,2 @@ -SHA256 (gnupg-2.2.34.tar.bz2) = ViozUNz2bLZ8WCXGf/LCkE2x4w7I4dNTrcFO+6mr9D8= -SIZE (gnupg-2.2.34.tar.bz2) = 7252882 +SHA256 (gnupg-2.2.35.tar.bz2) = NAvCVZOJcebnKbPZlW+i7024IV13aTvzAN8rswJJhpA= +SIZE (gnupg-2.2.35.tar.bz2) = 7262687 -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: [update] security/gnupg
Ingo Schwarze schwa...@usta.de writes: Hi Jeremie, Jérémie Courrèges-Anglas wrote on Fri, Nov 08, 2013 at 06:16:35PM +0100: I'm using gnupg-1.4.15 on i386 since some time already. No MD code seems to have changed, no problem shown in daily use or ''make test'' output. A tarball diff is available here for convenience: http://autogeree.net/~jca/tmp/gnupg-1.4.13to15-tarballs.diff.gz (525 KB) The real changes start at gpg.c. The following diff: - updates to 1.4.15... - which includes the changes we have in patches/patch-mpi_mpi-pow_c - removes the use of autoconf in CONFIGURE_STYLE (we don't patch autoconf source files anymore). No comment one the update itself, i didn't look at it. Anyone? I also thought about removing USE_GROFF since the displaying glitches are fairly minor. What do you think? http://autogeree.net/~jca/tmp/gpg-manpage.diff http://autogeree.net/~jca/tmp/gpgv-manpage.diff Both were minor bugs in mandoc(1), both are fixed now in OpenBSD-current and in mdocml.bsd.lv. So you can remove USE_GROFF. Thanks for the report, Ingo Thanks again Ingo. :) -- jca | PGP : 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: [update] security/gnupg
Hi Jeremie, Jérémie Courrèges-Anglas wrote on Fri, Nov 08, 2013 at 06:16:35PM +0100: I'm using gnupg-1.4.15 on i386 since some time already. No MD code seems to have changed, no problem shown in daily use or ''make test'' output. A tarball diff is available here for convenience: http://autogeree.net/~jca/tmp/gnupg-1.4.13to15-tarballs.diff.gz (525 KB) The real changes start at gpg.c. The following diff: - updates to 1.4.15... - which includes the changes we have in patches/patch-mpi_mpi-pow_c - removes the use of autoconf in CONFIGURE_STYLE (we don't patch autoconf source files anymore). No comment one the update itself, i didn't look at it. I also thought about removing USE_GROFF since the displaying glitches are fairly minor. What do you think? http://autogeree.net/~jca/tmp/gpg-manpage.diff http://autogeree.net/~jca/tmp/gpgv-manpage.diff Both were minor bugs in mandoc(1), both are fixed now in OpenBSD-current and in mdocml.bsd.lv. So you can remove USE_GROFF. Thanks for the report, Ingo
[update] security/gnupg
Hi, I'm using gnupg-1.4.15 on i386 since some time already. No MD code seems to have changed, no problem shown in daily use or ''make test'' output. A tarball diff is available here for convenience: http://autogeree.net/~jca/tmp/gnupg-1.4.13to15-tarballs.diff.gz (525 KB) The real changes start at gpg.c. The following diff: - updates to 1.4.15... - which includes the changes we have in patches/patch-mpi_mpi-pow_c - removes the use of autoconf in CONFIGURE_STYLE (we don't patch autoconf source files anymore). I also thought about removing USE_GROFF since the displaying glitches are fairly minor. What do you think? http://autogeree.net/~jca/tmp/gpg-manpage.diff http://autogeree.net/~jca/tmp/gpgv-manpage.diff ok? Index: Makefile === RCS file: /cvs/ports/security/gnupg/Makefile,v retrieving revision 1.90 diff -u -p -r1.90 Makefile --- Makefile6 Aug 2013 19:28:57 - 1.90 +++ Makefile8 Nov 2013 13:20:03 - @@ -2,8 +2,7 @@ COMMENT= GNU privacy guard - a free PGP replacement -DISTNAME= gnupg-1.4.13 -REVISION= 1 +DISTNAME= gnupg-1.4.15 CATEGORIES=security # restrict, not compatible with gnupg-2. @@ -24,8 +23,7 @@ WANTLIB= c z readline termcap ssl crypto # XXX give it a chance on vax LIB_DEPENDS += devel/libidn -CONFIGURE_STYLE= autoconf -AUTOCONF_VERSION= 2.69 +CONFIGURE_STYLE= gnu MODGNU_CONFIG_GUESS_DIRS=${WRKSRC}/scripts CONFIGURE_ARGS+= --disable-gnupg-iconv USE_GROFF =Yes Index: distinfo === RCS file: /cvs/ports/security/gnupg/distinfo,v retrieving revision 1.24 diff -u -p -r1.24 distinfo --- distinfo31 Dec 2012 16:34:35 - 1.24 +++ distinfo10 Oct 2013 06:27:21 - @@ -1,2 +1,2 @@ -SHA256 (gnupg-1.4.13.tar.gz) = Wj+Z1DaI2BiZX8uwLzHBqZXUc3m4uB+hJwjGs+R4I9I= -SIZE (gnupg-1.4.13.tar.gz) = 5085400 +SHA256 (gnupg-1.4.15.tar.gz) = C5Hik+hWbluEHygDKbHm/Xc/fTgmhExpvsZ2Ek4KC7M= +SIZE (gnupg-1.4.15.tar.gz) = 5066798 Index: patches/patch-mpi_mpi-pow_c === RCS file: patches/patch-mpi_mpi-pow_c diff -N patches/patch-mpi_mpi-pow_c --- patches/patch-mpi_mpi-pow_c 6 Aug 2013 19:28:57 - 1.2 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,46 +0,0 @@ -$OpenBSD: patch-mpi_mpi-pow_c,v 1.2 2013/08/06 19:28:57 jasper Exp $ - -Security fix for CVE-2013-4242 GnuPG side-channel attack on RSA secret keys -http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html - -From 35646689f4b80955ff7dbe1687bf2c479c53421e Mon Sep 17 00:00:00 2001 -From: Werner Koch w...@gnupg.org -Date: Fri, 19 Jul 2013 13:49:23 +0200 -Subject: [PATCH] Mitigate a flush+reload cache attack on RSA secret exponents. - mpi/mpi-pow.c.orig Thu Dec 20 18:22:27 2012 -+++ mpi/mpi-pow.c Tue Jul 30 11:08:21 2013 -@@ -1,5 +1,6 @@ - /* mpi-pow.c - MPI functions -- *Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc. -+ * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc. -+ * Copyright (C) 2013 Werner Koch - * - * This file is part of GnuPG. - * -@@ -209,7 +210,14 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod) - tp = rp; rp = xp; xp = tp; - rsize = xsize; - -- if( (mpi_limb_signed_t)e 0 ) { -+/* To mitigate the Yarom/Falkner flush+reload cache -+ * side-channel attack on the RSA secret exponent, we -+ * do the multiplication regardless of the value of -+ * the high-bit of E. But to avoid this performance -+ * penalty we do it only if the exponent has been -+ * stored in secure memory and we can thus assume it -+ * is a secret exponent. */ -+if (esec || (mpi_limb_signed_t)e 0) { - /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ - if( bsize KARATSUBA_THRESHOLD ) { - mpihelp_mul( xp, rp, rsize, bp, bsize ); -@@ -224,7 +232,8 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod) - mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); - xsize = msize; - } -- -+} -+ if ((mpi_limb_signed_t)e 0) { - tp = rp; rp = xp; xp = tp; - rsize = xsize; - }
[update] security/gnupg
update to 1.4.13, which includes idea support now that the patent has expired. Index: Makefile === RCS file: /cvs/ports/security/gnupg/Makefile,v retrieving revision 1.82 diff -N -u -p Makefile --- Makefile11 Dec 2012 21:12:36 - 1.82 +++ Makefile31 Dec 2013 04:29:02 - @@ -2,9 +2,8 @@ COMMENT= GNU privacy guard - a free PGP replacement -DISTNAME= gnupg-1.4.11 +DISTNAME= gnupg-1.4.13 CATEGORIES=security -REVISION= 2 # restrict, not compatible with gnupg-2. PKGSPEC = gnupg-2 @@ -18,10 +17,8 @@ MASTER_SITES=ftp://ftp.gnupg.org/gcrypt/gnupg/ \ ftp://pgp.iijlab.net/pub/pgp/gnupg/ \ ftp://ring.aist.go.jp/pub/net/gnupg/gnupg/ -MASTER_SITES0= ftp://ftp.gnupg.dk/contrib-dk/ +DISTFILES= ${DISTNAME}${EXTRACT_SUFX} -DISTFILES= ${DISTNAME}${EXTRACT_SUFX} idea.c.gz:0 - HOMEPAGE= http://www.gnupg.org/ # GPLv3 @@ -75,9 +72,6 @@ pre-configure: # mpi/hppa1.1/udiv-qrnnd.S is not PIE-safe mv ${WRKSRC}/mpi/hppa/udiv-qrnnd.S ${WRKSRC}/mpi/hppa1.1/ .endif - -post-extract: - ln -s ${WRKDIR}/idea.c ${WRKSRC}/cipher/idea.c post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/gnupg Index: distinfo === RCS file: /cvs/ports/security/gnupg/distinfo,v retrieving revision 1.23 diff -N -u -p distinfo --- distinfo12 Jul 2012 16:32:48 - 1.23 +++ distinfo31 Dec 2013 04:29:02 - @@ -1,4 +1,2 @@ -SHA256 (gnupg-1.4.11.tar.gz) = VdRXtVApxg7sVxwuc588DmOdQRhjtYoSF4zcY4NANtc= -SHA256 (idea.c.gz) = MJko2jSUHf8db2aHVC/z1YMG2Fvp4amQa8T5+OYBGEQ= -SIZE (gnupg-1.4.11.tar.gz) = 4713877 -SIZE (idea.c.gz) = 5216 +SHA256 (gnupg-1.4.13.tar.gz) = Wj+Z1DaI2BiZX8uwLzHBqZXUc3m4uB+hJwjGs+R4I9I= +SIZE (gnupg-1.4.13.tar.gz) = 5085400 Index: patches/patch-cipher_Makefile_in === RCS file: /cvs/ports/security/gnupg/patches/patch-cipher_Makefile_in,v retrieving revision 1.8 diff -N -u -p patches/patch-cipher_Makefile_in --- patches/patch-cipher_Makefile_in11 Dec 2012 20:47:45 - 1.8 +++ patches/patch-cipher_Makefile_in31 Dec 2013 04:29:02 - @@ -1,7 +1,7 @@ $OpenBSD: patch-cipher_Makefile_in,v 1.8 2012/12/11 20:47:45 landry Exp $ cipher/Makefile.in.origMon Oct 18 03:53:58 2010 -+++ cipher/Makefile.in Tue Dec 11 12:19:49 2012 -@@ -295,7 +295,7 @@ target_alias = @target_alias@ +--- cipher/Makefile.in.origThu Dec 20 14:30:34 2012 cipher/Makefile.in Sun Dec 30 22:49:08 2012 +@@ -330,7 +330,7 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ Index: patches/patch-doc_Makefile_in === RCS file: /cvs/ports/security/gnupg/patches/patch-doc_Makefile_in,v retrieving revision 1.7 diff -N -u -p patches/patch-doc_Makefile_in --- patches/patch-doc_Makefile_in 25 Oct 2010 12:57:13 - 1.7 +++ patches/patch-doc_Makefile_in 31 Dec 2013 04:29:02 - @@ -1,7 +1,7 @@ $OpenBSD: patch-doc_Makefile_in,v 1.7 2010/10/25 12:57:13 pea Exp $ doc/Makefile.in.orig Mon Oct 18 11:53:58 2010 -+++ doc/Makefile.inWed Oct 20 09:19:27 2010 -@@ -299,7 +299,7 @@ gnupg1_TEXINFOS = gnupg1.texi +--- doc/Makefile.in.orig Thu Dec 20 14:30:34 2012 doc/Makefile.inSun Dec 30 22:49:08 2012 +@@ -352,7 +352,7 @@ gnupg1_TEXINFOS = gnupg1.texi # Need this to avoid building of dvis with automake 1.4 DVIS = @@ -9,4 +9,4 @@ $OpenBSD: patch-doc_Makefile_in,v 1.7 2010/10/25 12:57 +#pkgdata_DATA = FAQ # we can't add gpg.texi gpgv.texi here because automake does not like them to - # be built files. + # be built files. Index: patches/patch-g10_Makefile_in === RCS file: /cvs/ports/security/gnupg/patches/patch-g10_Makefile_in,v retrieving revision 1.8 diff -N -u -p patches/patch-g10_Makefile_in --- patches/patch-g10_Makefile_in 11 Dec 2012 20:47:45 - 1.8 +++ patches/patch-g10_Makefile_in 31 Dec 2013 04:29:02 - @@ -1,7 +1,7 @@ $OpenBSD: patch-g10_Makefile_in,v 1.8 2012/12/11 20:47:45 landry Exp $ g10/Makefile.in.orig Mon Oct 18 03:53:58 2010 -+++ g10/Makefile.inTue Dec 11 12:19:48 2012 -@@ -342,7 +342,7 @@ target_alias = @target_alias@ +--- g10/Makefile.in.orig Thu Dec 20 14:30:34 2012 g10/Makefile.inSun Dec 30 22:49:08 2012 +@@ -395,7 +395,7 @@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ Index: patches/patch-keyserver_Makefile_in === RCS file: /cvs/ports/security/gnupg/patches/patch-keyserver_Makefile_in,v retrieving revision 1.7 diff -N -u -p