diffstat of debian/ for gnupg_1.4.12-7 gnupg_1.4.12-7ubuntu1.1 changelog | 447 +++++++++++++++++++++++++++++++++++++++ control | 25 -- gpgv-win32.dirs | 1 gpgv-win32.install | 1 patches/CVE-2013-4242.diff | 95 ++++++++ patches/autoconfupdate.patch | 148 ++++++++++++ patches/disable_mlock_test.patch | 22 + patches/series | 4 patches/use_agent_default.patch | 25 ++ rules | 2 10 files changed, 746 insertions(+), 24 deletions(-) diff -Nru gnupg-1.4.12/debian/changelog gnupg-1.4.12/debian/changelog --- gnupg-1.4.12/debian/changelog 2013-01-02 18:49:41.000000000 +0000 +++ gnupg-1.4.12/debian/changelog 2013-07-30 22:19:20.000000000 +0000 @@ -1,3 +1,27 @@ +gnupg (1.4.12-7ubuntu1.1) raring-security; urgency=low + + * SECURITY UPDATE: The path of execution in an exponentiation function may + depend upon secret key data, allowing a local attacker to determine the + contents of the secret key through a side-channel attack. + - debian/patches/CVE-2013-4242.diff: always perform the mpi_mul for + exponents in secure memory. Based on upstream patch. + - CVE-2013-4242 + + -- Seth Arnold Tue, 30 Jul 2013 14:54:59 -0700 + +gnupg (1.4.12-7ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Disable mlock() test since it fails with ulimit 0 (on buildds). + - Set gpg (or gpg2) and gpgsm to use a passphrase agent by default. + - Only suggest gnupg-curl and libldap; recommendations are pulled into + minimal, and we don't need the keyserver utilities in a minimal Ubuntu + system. + - Remove the Win32 build. + - Update config.guess/config.sub for aarch64. + + -- Colin Watson Tue, 08 Jan 2013 10:47:07 +0000 + gnupg (1.4.12-7) unstable; urgency=high * Apply upstream patch to fix memory and key database corruption @@ -5,6 +29,23 @@ -- Thijs Kinkhorst Wed, 02 Jan 2013 19:48:36 +0100 +gnupg (1.4.12-6ubuntu1) raring; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Disable mlock() test since it fails with ulimit 0 (on buildds). + - Set gpg (or gpg2) and gpgsm to use a passphrase agent by default. + - Only suggest gnupg-curl and libldap; recommendations are pulled into + minimal, and we don't need the keyserver utilities in a minimal Ubuntu + system. + - Remove the Win32 build. + - Update config.guess/config.sub for aarch64. + * Dropped patches: + - Fix udeb build failure on powerpc, building with -O2 instead of -Os. + (No longer seems to be necessary.) + * Simplify removal of Win32 build, to make this easier to merge in future. + + -- Colin Watson Tue, 04 Dec 2012 22:26:16 +0000 + gnupg (1.4.12-6) unstable; urgency=low * debian/patches/685627_french_translation_update.patch: Adjusted. @@ -66,6 +107,40 @@ -- Thijs Kinkhorst Mon, 20 Feb 2012 21:53:58 +0100 +gnupg (1.4.11-3ubuntu4) quantal; urgency=low + + * Update config.guess,sub for aarch64 + + -- Wookey Mon, 01 Oct 2012 12:56:41 +0100 + +gnupg (1.4.11-3ubuntu3) quantal-proposed; urgency=low + + * debian/patches/long-keyids.dpatch: Use the longest key ID available + when requesting a key from a key server. + + -- Marc Deslauriers Tue, 24 Jul 2012 10:28:39 -0400 + +gnupg (1.4.11-3ubuntu2) precise; urgency=low + + * Mark gnupg, gnupg-curl, and gpgv Multi-Arch: foreign. + + -- Colin Watson Mon, 21 Nov 2011 13:42:07 +0000 + +gnupg (1.4.11-3ubuntu1) natty; urgency=low + + * Resynchronise with Debian (LP: #720905). Remaining changes: + - Disable mlock() test since it fails with ulimit 0 (on buildds). + - Set gpg (or gpg2) and gpgsm to use a passphrase agent by default. + - Fix udeb build failure on powerpc, building with -O2 instead of -Os. + - Only suggest gnupg-curl and libldap; recommendations are pulled into + minimal, and we don't need the keyserver utilities in a minimal Ubuntu + system. + * debian/{control,rules}: Remove the Win32 build (and mingw32 + build-dependency), since mingw32 is in universe, and will remain so for + the forseeable future. + + -- Rico Tzschichholz Tue, 22 Feb 2011 11:00:25 +0100 + gnupg (1.4.11-3) unstable; urgency=low * Install gpg setuid root again on kFreeBSD. We dropped this @@ -108,6 +183,24 @@ -- Thijs Kinkhorst Tue, 26 Oct 2010 20:14:12 +0200 +gnupg (1.4.10-4ubuntu2) natty; urgency=low + + * No-change rebuild to drop upstream changelog. + + -- Martin Pitt Fri, 03 Dec 2010 08:31:25 +0100 + +gnupg (1.4.10-4ubuntu1) natty; urgency=low + + * Resynchronise with Debian. Remaining changes: + - Disable mlock() test since it fails with ulimit 0 (on buildds). + - Set gpg (or gpg2) and gpgsm to use a passphrase agent by default. + - Fix udeb build failure on powerpc, building with -O2 instead of -Os. + - Only suggest gnupg-curl and libldap; recommendations are pulled into + minimal, and we don't need the keyserver utilities in a minimal Ubuntu + system. + + -- Colin Watson Wed, 13 Oct 2010 11:48:06 +0100 + gnupg (1.4.10-4) unstable; urgency=high * debian/patches/mips_gcc4.4: added to fix build failure on @@ -151,6 +244,25 @@ -- Thijs Kinkhorst Mon, 22 Mar 2010 20:12:42 +0100 +gnupg (1.4.10-2ubuntu2) maverick; urgency=low + + * Only suggest gnupg-curl and libldap; recommendations are pulled into + minimal, and we don't need the keyserver utilities in a minimal Ubuntu + system. + + -- Colin Watson Mon, 14 Jun 2010 14:40:00 +0100 + +gnupg (1.4.10-2ubuntu1) lucid; urgency=low + + * Merge from Debian testing (lp: #503064, #477818). Remaining changes: + - Add 'debian/patches/50_disable_mlock_test.dpatch': Disable mlock() test + since it fails with ulimit 0 (on buildds). + - Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg + (or gpg2) and gpgsm to use a passphrase agent by default (lp: 15485) + - Fix udeb build failure on powerpc, building with -O2 instead of -Os. + + -- Michael Bienia Mon, 04 Jan 2010 20:06:01 +0100 + gnupg (1.4.10-2) unstable; urgency=low [ Thijs Kinkhorst ] @@ -255,6 +367,64 @@ -- Thijs Kinkhorst Sat, 15 Aug 2009 18:43:03 +0200 +gnupg (1.4.9-4ubuntu7) karmic; urgency=low + + * Fix udeb build failure on powerpc, building with -O2 instead of -Os. + + -- Matthias Klose Sun, 27 Sep 2009 13:49:46 +0200 + +gnupg (1.4.9-4ubuntu6) karmic; urgency=low + + * Build-depend on libreadline-dev instead of libreadline5-dev. + + -- Matthias Klose Sat, 19 Sep 2009 22:52:53 +0200 + +gnupg (1.4.9-4ubuntu5) karmic; urgency=low + + * debian/gnupg.udev: + Add udev rules to set ACLs on SCM smartcard readers. They replace the hal + rules for the same purpose. (LP: #57755) + * debian/rules: + Call dh_installudev. + + -- Michael Bienia Fri, 03 Jul 2009 15:38:40 +0200 + +gnupg (1.4.9-4ubuntu4) karmic; urgency=low + + * Undo the last change. A GnuPG bug with handling multiple keyservers + makes this break + + -- Mackenzie Morgan Sat, 20 Jun 2009 18:04:47 -0400 + +gnupg (1.4.9-4ubuntu3) karmic; urgency=low + + * deian/patches/100_ubuntu_default_keyserver.dpatch: (LP: #380093) + - Add keyserver.ubuntu.com as a default keyserver in g10/options.skel + + -- Mackenzie Morgan Mon, 25 May 2009 13:10:51 -0400 + +gnupg (1.4.9-4ubuntu2) karmic; urgency=low + + * debian/rules: add --enable-noexecstack to configure to avoid needless + executable stacks on i386 (LP: #49323, debian bug 527630). + * debian/rules: fix "nocheck" logic to run tests (debian bug 521884). + + -- Kees Cook Fri, 08 May 2009 09:12:18 -0700 + +gnupg (1.4.9-4ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - Add 'debian/patches/50_disable_mlock_test.dpatch': Disable mlock() test + since it fails with ulimit 0 (on buildds). + - Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg + (or gpg2) and gpgsm to use a passphrase agent by default (lp: 15485) + - Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a + timeout updating the keyring (lp: 62864) + - Add 'debian/patches/55_curl_typefix.dpatch': Fix a build error with recent + curl and gcc 4.3 + + -- Nicolas Valcárcel Scerpella Tue, 05 May 2009 16:02:14 -0500 + gnupg (1.4.9-4) unstable; urgency=low [ Daniel Leidert (dale) ] @@ -281,6 +451,24 @@ -- Thijs Kinkhorst Mon, 16 Feb 2009 18:35:15 +0100 +gnupg (1.4.9-3ubuntu1) intrepid; urgency=low + + * Merge from debian unstable (lp: #225005), remaining changes: + - Add 'debian/patches/50_disable_mlock_test.dpatch': Disable mlock() test + since it fails with ulimit 0 (on buildds). + - Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg + (or gpg2) and gpgsm to use a passphrase agent by default (lp: 15485) + - Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a + timeout updating the keyring (lp: 62864) + * Dropped Ubuntu patches, applied upstream: + - 50_show_primary_only.dpatch + - 60_install_options_skel.dpatch + * Add 'debian/patches/55_curl_typefix.dpatch': Fix a build error with recent + curl and gcc 4.3 (lp: #247679). Patch taken from upstream: + http://lists.gnupg.org/pipermail/gnupg-devel/2008-April/024344.html + + -- Michael Bienia Mon, 21 Jul 2008 02:02:14 +0200 + gnupg (1.4.9-3) unstable; urgency=low * Add Package-Type: udeb to μdebs. @@ -373,6 +561,56 @@ -- Bastian Blank Sat, 23 Feb 2008 19:59:18 +0100 +gnupg (1.4.6-2ubuntu5) hardy; urgency=low + + * No-change rebuild against libldap-2.4-2. + + -- Steve Langasek Wed, 23 Jan 2008 10:49:38 +0000 + +gnupg (1.4.6-2ubuntu4) gutsy; urgency=low + + * debian/patches/70_trust_error.dpatch: Removed as it broke setting the + trust level to 1 (LP: #147343). + + -- Michael Bienia Mon, 01 Oct 2007 21:52:52 +0200 + +gnupg (1.4.6-2ubuntu3) gutsy; urgency=low + + [ Scott Kitterman ] + * Add 'debian/patches/60_install_options_skel.dpatch': Patch to + install options file from upstream (LP: #76983) + * Add 'debian/patches/61_use_agent_default.dpatch': Patch to set gpg + (or gpg2) and gpgsm to use a passphrase agent by default (LP: #15485) + * Add 'debian/patches/70_trust_error.dpatch': Patch to disallow illegal + zero response for trust level changes (LP: #39459) + + [ Michael Bienia ] + * Add libcurl4-gnutls-dev to Build-Depends to fix gpg running into a timeout + updating the keyring (LP: #62864) + + -- Michael Bienia Fri, 06 Jul 2007 20:56:05 +0200 + +gnupg (1.4.6-2ubuntu2) gutsy; urgency=low + + * Add 'debian/patches/50_show_primary_only.dpatch': add + 'show-primary-uid-only' to verify options, to suppress 'aka' output + in key verifications, backported from 1.4.7 upstream. + + -- Kees Cook Tue, 15 May 2007 12:09:41 -0700 + +gnupg (1.4.6-2ubuntu1) gutsy; urgency=low + + * Merge from debian unstable, remaining changes: + - config.h.in: Disable mlock() test since it fails with ulimit 0 (on + buildds). + - debian/rules: + + Do not install gpg as suid root, since that is not necessary with + kernels 2.6.8+. + + Make the build fail if the test suite fails. + - debian/control: Maintainer field update. + + -- Kees Cook Tue, 08 May 2007 02:21:26 -0700 + gnupg (1.4.6-2) unstable; urgency=medium * 28_multiple_message.dpatch: new patch from upstream to fix problems @@ -381,6 +619,28 @@ -- James Troup Wed, 7 Mar 2007 21:47:35 +0000 +gnupg (1.4.6-1ubuntu2) feisty; urgency=low + + * SECURITY UPDATE: without --status-fd, forged inline sigs can appear valid. + * debian/patches/50_stop_multiple_messages.dpatch: upstream patch. + * References + ftp://ftp.gnupg.org/gcrypt/gnupg/patches/gnupg-1.4.6-multiple-message.patch + CVE-2007-1263 + + -- Kees Cook Wed, 7 Mar 2007 11:53:20 -0800 + +gnupg (1.4.6-1ubuntu1) feisty; urgency=low + + * Merge from debian unstable, remaining changes: + - config.h.in: Disable mlock() test since it fails with ulimit 0 (on + buildds). + - debian/rules: + + Do not install gpg as suid root, since that is not necessary with + kernels 2.6.8+. + + Make the build fail if the test suite fails. + + -- Kees Cook Tue, 12 Dec 2006 15:56:56 -0800 + gnupg (1.4.6-1) unstable; urgency=high * New upstream release. @@ -399,6 +659,29 @@ -- James Troup Thu, 7 Dec 2006 02:54:51 +0000 +gnupg (1.4.5-3ubuntu2) feisty; urgency=low + + * SECURITY UPDATE: unwound stack data use, leading to arbitrary code + execution. + * Add debian/patches/29_dxf_context_stack.dpatch: upstream patch, use heap + for allocation instead. + * References + CVE-2006-6235 + + -- Kees Cook Wed, 6 Dec 2006 11:46:44 -0800 + +gnupg (1.4.5-3ubuntu1) feisty; urgency=low + + * Merge to Debian unstable. Remaining Ubuntu changes: + - config.h.in: Disable mlock() test since it fails with ulimit 0 (on + buildds). + - debian/rules: + + Do not install gpg as suid root, since that is not necessary with + kernels 2.6.8+. + + Make the build fail if the test suite fails. + + -- Martin Pitt Tue, 28 Nov 2006 19:06:47 +0100 + gnupg (1.4.5-3) unstable; urgency=high * 27_filename_overflow.dpatch: new patch from upstream to fix buffer @@ -406,6 +689,18 @@ -- James Troup Mon, 27 Nov 2006 21:23:37 +0000 +gnupg (1.4.5-2ubuntu1) feisty; urgency=low + + * Merge to Debian unstable. Remaining Ubuntu changes: + - config.h.in: Disable mlock() test since it fails with ulimit 0 (on + buildds). + - debian/rules: + + Do not install gpg as suid root, since that is not necessary with + kernels 2.6.8+. + + Make the build fail if the test suite fails. + + -- Martin Pitt Fri, 3 Nov 2006 09:18:26 +0100 + gnupg (1.4.5-2) unstable; urgency=low * debian/control: add gpgv package. Make gnupg package depend on it. @@ -429,6 +724,42 @@ -- James Troup Tue, 1 Aug 2006 22:50:09 +0100 +gnupg (1.4.3-2ubuntu3) edgy; urgency=low + + * SECURITY UPDATE: Local arbitrary code execution. + * Add debian/patches/27_comment_control_overflow.dpatch: + - Fix buffer overflows in parse_comment() and parse_gpg_control(). + - Patch extracted from stable 1.4.5 release. + - Reproducer: + perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| gpg --no-armor + - Credit: Evgeny Legerov + - CVE-2006-3746 + + -- Martin Pitt Thu, 3 Aug 2006 08:11:46 +0200 + +gnupg (1.4.3-2ubuntu2) edgy; urgency=low + + * Rebuild with current zlib1g-dev to fix udeb shlibdeps. Thanks to Evan + Dandrea for noticing. + + -- Colin Watson Mon, 31 Jul 2006 11:21:55 +0100 + +gnupg (1.4.3-2ubuntu1) edgy; urgency=low + + * Sync with Debian: + Remaining Ubuntu changes: + + config.h.in: Disable mlock() test since it fails with ulimit 0 (on + buildds). + + debian/patches/20_no_tty_fix.dpatch: + - dropped, upstream now + + debian/rules: + - don't use the included gettext + - Don't install gpg as suid root, since that is not necessary with + kernels 2.6.8+ + - Make the build fail if the test suite fails + + -- Sebastian Dröge Wed, 28 Jun 2006 21:11:14 +0200 + gnupg (1.4.3-2) unstable; urgency=low * 26_user_id_overflow.dpatch: new patch pulled from upstream SVN to fix @@ -494,6 +825,32 @@ -- James Troup Wed, 5 Apr 2006 02:45:56 +0100 +gnupg (1.4.2.2-1ubuntu2) dapper; urgency=low + + * debian/rules: + - Remove --with-included-gettext configure option; use libc's gettext to + get language pack support. Closes: LP#25609 + - rm'ing locale.alias is not necessary with this change, so change it to + rm -f to not break the build. + + -- Martin Pitt Mon, 3 Apr 2006 18:21:19 +0200 + +gnupg (1.4.2.2-1ubuntu1) dapper; urgency=low + + * Resynchronize with Debian, UVF exception approved by Matt. 1.4.2.2 only + contains a security fix, updated test cases, and updated translations. + * For reference and to ease future merges, these are the remaining Ubuntu + changes: + - debian/rules: Make the build fail if the test suite fails. + - debian/changelog: Add missing CVE number. + - Don't install gpg as suid root, since that is not necessary with kernels + 2.6.8+. + - config.h.in: Disable mlock() test since it fails with ulimit 0 (on + buildds). + - debian/patches/20_no_tty_fix.dpatch: Malone #5570 + + -- Martin Pitt Mon, 13 Mar 2006 12:42:00 +0100 + gnupg (1.4.2.2-1) unstable; urgency=low * New upstream release. @@ -502,6 +859,41 @@ -- James Troup Fri, 10 Mar 2006 04:27:12 +0000 +gnupg (1.4.2.1-0ubuntu1) dapper; urgency=low + + * New upstream security bugfix release, only contains the following changes: + - Security fix for a verification weakness in gpgv. Some input + could lead to gpgv exiting with 0 even if the detached signature + file did not carry any signature. This is not as fatal as it + might seem because the suggestion as always been not to rely on + th exit code but to parse the --status-fd messages. However it + is likely that gpgv is used in that simplified way and thus we + do this release. Same problem with "gpg --verify" but nobody + should have used this for signature verification without + checking the status codes anyway. [CVE-2006-0455] + - Added a test case for above vulnerability. + * debian/rules: Call the test suite during build. (Will fail the build + if the test suite fails.) + + -- Martin Pitt Fri, 17 Feb 2006 11:18:27 +0100 + +gnupg (1.4.2-2ubuntu2) dapper; urgency=low + + * Add 20_no_tty_fix.dpatch: + - Do not open /dev/tty if --no-tty is specified, since this breaks + programs like seahorse. + - Patch also accepted upstream. + - Thanks to Ryan Lortie for the patch. + - Malone #5570 + + -- Martin Pitt Fri, 16 Dec 2005 16:57:39 +0100 + +gnupg (1.4.2-2ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Martin Pitt Thu, 10 Nov 2005 16:13:10 -0500 + gnupg (1.4.2-2) unstable; urgency=low * 22_zero_length_mpi_fix.dpatch: new patch; pull in upstream patch to @@ -521,6 +913,20 @@ -- James Troup Sat, 24 Sep 2005 03:31:37 +0100 +gnupg (1.4.1-1ubuntu2) dapper; urgency=low + + * debian/rules: Stop calling pkgstriptranslations, we now get it + for free with the new and improved dpkg-deb diversion hack. + + -- Adam Conrad Wed, 26 Oct 2005 10:42:17 +1000 + +gnupg (1.4.1-1ubuntu1) breezy; urgency=low + + * Resynchronise with Debian, fixing changelog ordering. + * Added CAN number to previous changelog entry. + + -- Martin Pitt Fri, 10 Jun 2005 10:36:38 +0200 + gnupg (1.4.1-1) unstable; urgency=low * New upstream release. Closes: #307203 @@ -534,6 +940,12 @@ -- James Troup Mon, 9 May 2005 23:41:50 +0100 +gnupg (1.4.0-3ubuntu1) breezy; urgency=low + + * Merge Debian changes (#9358). + + -- Martin Pitt Fri, 15 Apr 2005 09:35:41 +0200 + gnupg (1.4.0-3) unstable; urgency=low * debian/rules (binary-arch): move Russian manpage to correct (FHS) @@ -594,6 +1006,41 @@ -- Colin Watson Fri, 24 Dec 2004 13:42:23 +0000 +gnupg (1.2.5-3ubuntu5) hoary; urgency=low + + * debian/rules: Call pkgstriptranslations if present (the package does not + use debhelper, thus it does not happen automatically). + + -- Martin Pitt Fri, 18 Mar 2005 13:04:50 +0000 + +gnupg (1.2.5-3ubuntu4) hoary; urgency=low + + * debian/control, debian/rules: Build gpgv-udeb, containing just + /usr/bin/gpgv built without bzip2 support and with -Os, for use in the + installer. + + -- Colin Watson Wed, 12 Jan 2005 14:52:51 +0000 + +gnupg (1.2.5-3ubuntu3) hoary; urgency=low + + * Disable HAVE_BROKEN_MLOCK, since the test fails if ulimit -l 0. + + -- LaMont Jones Tue, 30 Nov 2004 22:35:20 -0700 + +gnupg (1.2.5-3ubuntu2) hoary; urgency=low + + * No-change upload to get mlock test correct. + + -- LaMont Jones Tue, 30 Nov 2004 21:25:26 -0700 + +gnupg (1.2.5-3ubuntu1) hoary; urgency=low + + * Resynced to Debian; automatic sync result was a mess, redid from scratch. + * Do not install gnupg as suid root since the Ubuntu kernel now supports + calling mlock() as user. + + -- Martin Pitt Thu, 11 Nov 2004 11:08:42 +0100 + gnupg (1.2.5-3) unstable; urgency=low * debian/rules (build): drop --with-capabilites for now. diff -Nru gnupg-1.4.12/debian/control gnupg-1.4.12/debian/control --- gnupg-1.4.12/debian/control 2013-01-02 18:45:02.000000000 +0000 +++ gnupg-1.4.12/debian/control 2013-01-08 10:46:23.000000000 +0000 @@ -1,7 +1,8 @@ Source: gnupg Section: utils Priority: important -Maintainer: Debian GnuPG-Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuPG-Maintainers Uploaders: Sune Vuorela , Daniel Leidert , Thijs Kinkhorst @@ -10,7 +11,6 @@ libusb-dev [!hurd-i386], libreadline-dev, file, gettext, libcurl4-gnutls-dev -Build-Depends-Indep: mingw-w64 Homepage: http://www.gnupg.org Vcs-Browser: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/ Vcs-Svn: svn://svn.debian.org/svn/pkg-gnupg/gnupg/trunk/ @@ -19,8 +19,7 @@ Architecture: any Multi-Arch: foreign Depends: ${shlibs:Depends}, ${misc:Depends}, gpgv -Recommends: ${shlibs:Recommends}, gnupg-curl -Suggests: gnupg-doc, xloadimage | imagemagick | eog, libpcsclite1 +Suggests: ${shlibs:Suggests}, gnupg-curl, gnupg-doc, xloadimage | imagemagick | eog, libpcsclite1 Description: GNU privacy guard - a free PGP replacement GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. @@ -44,7 +43,7 @@ Priority: optional Architecture: any Multi-Arch: foreign -Depends: ${shlibs:Depends}, ${shlibs:Recommends}, ${misc:Depends}, gnupg +Depends: ${shlibs:Depends}, ${shlibs:Suggests}, ${misc:Depends}, gnupg Description: GNU privacy guard - a free PGP replacement (cURL) GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. @@ -100,19 +99,3 @@ . This is GnuPG's signature verification tool, gpgv, packaged in minimal form for use in debian-installer. - -Package: gpgv-win32 -Architecture: all -Priority: extra -Depends: ${misc:Depends} -Suggests: wine -Description: GNU privacy guard - signature verification tool (win32 build) - GnuPG is GNU's tool for secure communication and data storage. - . - gpgv is a stripped-down version of gnupg which is only able to check - signatures. It is smaller than the full-blown gnupg and uses a - different (and simpler) way to check that the public keys used to - make the signature are trustworthy. - . - This is a win32 version of gpgv. It's meant to be used by the win32-loader - component of Debian-Installer. diff -Nru gnupg-1.4.12/debian/gpgv-win32.dirs gnupg-1.4.12/debian/gpgv-win32.dirs --- gnupg-1.4.12/debian/gpgv-win32.dirs 2012-03-05 21:30:20.000000000 +0000 +++ gnupg-1.4.12/debian/gpgv-win32.dirs 2013-01-08 10:46:23.000000000 +0000 @@ -1 +0,0 @@ -usr/share/win32 diff -Nru gnupg-1.4.12/debian/gpgv-win32.install gnupg-1.4.12/debian/gpgv-win32.install --- gnupg-1.4.12/debian/gpgv-win32.install 2012-03-05 21:30:20.000000000 +0000 +++ gnupg-1.4.12/debian/gpgv-win32.install 2013-01-08 10:46:23.000000000 +0000 @@ -1 +0,0 @@ -build-win32/g10/gpgv.exe usr/share/win32/ diff -Nru gnupg-1.4.12/debian/patches/CVE-2013-4242.diff gnupg-1.4.12/debian/patches/CVE-2013-4242.diff --- gnupg-1.4.12/debian/patches/CVE-2013-4242.diff 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.12/debian/patches/CVE-2013-4242.diff 2013-07-30 22:20:06.000000000 +0000 @@ -0,0 +1,95 @@ +From: Werner Koch +Date: Fri, 19 Jul 2013 11:49:23 +0000 (+0200) +Subject: Mitigate a flush+reload cache attack on RSA secret exponents. +X-Git-Tag: gnupg-1.4.14~5 +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=35646689f4b80955ff7dbe1687bf2c479c53421e;hp=fd86f3031161f11c3cbef643a213a04c821364dd + +Mitigate a flush+reload cache attack on RSA secret exponents. + +* mpi/mpi-pow.c (mpi_powm): Always perform the mpi_mul for exponents +hold in secure memory. +-- + +The attack is described in a paper to be pusblished at eprint.iacr.org: + +Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel +Attack by Yuval Yarom and Katrina Falkner. 18 July 2013. + + Flush+Reload is a cache side-channel attack that monitors access to + data in shared pages. In this paper we demonstrate how to use the + attack to extract private encryption keys from GnuPG. The high + resolution and low noise of the Flush+Reload attack enables a spy + program to recover over 98% of the bits of the private key in a + single decryption or signing round. Unlike previous attacks, the + attack targets the last level L3 cache. Consequently, the spy + program and the victim do not need to share the execution core of + the CPU. The attack is not limited to a traditional OS and can be + used in a virtualised environment, where it can attack programs + executing in a different VM. + +Signed-off-by: Werner Koch +--- + +--- + NEWS | 9 +++++++++ + mpi/mpi-pow.c | 15 ++++++++++++--- + 2 files changed, 21 insertions(+), 3 deletions(-) + +Index: b/NEWS +=================================================================== +--- a/NEWS ++++ b/NEWS +@@ -22,6 +22,15 @@ + + * Minor bug fixes. + ++ * Mitigate the Yarom/Falkner flush+reload side-channel attack on ++ RSA secret keys. ++ ++ * Fixed IDEA for big-endian CPUs ++ ++ * Improved the diagnostics for failed keyserver lockups. ++ ++ * Minor bug and portability fixes. ++ + + Noteworthy changes in version 1.4.11 (2010-10-18) + ------------------------------------------------- +Index: b/mpi/mpi-pow.c +=================================================================== +--- a/mpi/mpi-pow.c ++++ b/mpi/mpi-pow.c +@@ -1,5 +1,6 @@ + /* mpi-pow.c - MPI functions +- * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc. ++ * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc. ++ * Copyright (C) 2013 Werner Koch + * + * This file is part of GnuPG. + * +@@ -209,7 +210,14 @@ + tp = rp; rp = xp; xp = tp; + rsize = xsize; + +- if( (mpi_limb_signed_t)e < 0 ) { ++ /* To mitigate the Yarom/Falkner flush+reload cache ++ * side-channel attack on the RSA secret exponent, we ++ * do the multiplication regardless of the value of ++ * the high-bit of E. But to avoid this performance ++ * penalty we do it only if the exponent has been ++ * stored in secure memory and we can thus assume it ++ * is a secret exponent. */ ++ if (esec || (mpi_limb_signed_t)e < 0) { + /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ + if( bsize < KARATSUBA_THRESHOLD ) { + mpihelp_mul( xp, rp, rsize, bp, bsize ); +@@ -224,7 +232,8 @@ + mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); + xsize = msize; + } +- ++ } ++ if ((mpi_limb_signed_t)e < 0) { + tp = rp; rp = xp; xp = tp; + rsize = xsize; + } diff -Nru gnupg-1.4.12/debian/patches/autoconfupdate.patch gnupg-1.4.12/debian/patches/autoconfupdate.patch --- gnupg-1.4.12/debian/patches/autoconfupdate.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.12/debian/patches/autoconfupdate.patch 2013-01-08 10:46:23.000000000 +0000 @@ -0,0 +1,148 @@ +Description: Update config.guess/config.sub for aarch64 +Author: Wookey +Forwarded: no +Last-Update: 2012-12-04 + +Index: b/scripts/config.guess +=================================================================== +--- a/scripts/config.guess ++++ b/scripts/config.guess +@@ -4,7 +4,7 @@ + # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, + # 2011, 2012 Free Software Foundation, Inc. + +-timestamp='2012-01-01' ++timestamp='2012-02-10' + + # This file is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by +@@ -17,9 +17,7 @@ + # General Public License for more details. + # + # You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +-# 02110-1301, USA. ++# along with this program; if not, see . + # + # As a special exception to the GNU General Public License, if you + # distribute this file as part of a program that contains a +@@ -863,6 +861,13 @@ + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; ++ aarch64:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; ++ aarch64_be:Linux:*:*) ++ UNAME_MACHINE=aarch64_be ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; +@@ -1320,6 +1325,9 @@ + i*86:AROS:*:*) + echo ${UNAME_MACHINE}-pc-aros + exit ;; ++ x86_64:VMkernel:*:*) ++ echo ${UNAME_MACHINE}-unknown-esx ++ exit ;; + esac + + #echo '(No uname command or uname output not recognized.)' 1>&2 +Index: b/scripts/config.sub +=================================================================== +--- a/scripts/config.sub ++++ b/scripts/config.sub +@@ -4,7 +4,7 @@ + # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, + # 2011, 2012 Free Software Foundation, Inc. + +-timestamp='2012-01-01' ++timestamp='2012-04-18' + + # This file is (in principle) common to ALL GNU software. + # The presence of a machine in this file suggests that SOME GNU software +@@ -21,9 +21,7 @@ + # GNU General Public License for more details. + # + # You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +-# 02110-1301, USA. ++# along with this program; if not, see . + # + # As a special exception to the GNU General Public License, if you + # distribute this file as part of a program that contains a +@@ -132,6 +130,10 @@ + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; ++ android-linux) ++ os=-linux-android ++ basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ++ ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] +@@ -223,6 +225,12 @@ + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; ++ -lynx*178) ++ os=-lynxos178 ++ ;; ++ -lynx*5) ++ os=-lynxos5 ++ ;; + -lynx*) + os=-lynxos + ;; +@@ -247,6 +255,7 @@ + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ ++ | aarch64 | aarch64_be \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ +@@ -319,7 +328,7 @@ + c6x) + basic_machine=tic6x-unknown + ;; +- m6811 | m68hc11 | m6812 | m68hc12 | picochip) ++ m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + basic_machine=$basic_machine-unknown + os=-none + ;; +@@ -332,7 +341,10 @@ + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; +- ++ xgate) ++ basic_machine=$basic_machine-unknown ++ os=-none ++ ;; + xscaleeb) + basic_machine=armeb-unknown + ;; +@@ -355,6 +367,7 @@ + # Recognize the basic CPU types with company name. + 580-* \ + | a29k-* \ ++ | aarch64-* | aarch64_be-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ +@@ -1530,6 +1543,9 @@ + c4x-* | tic4x-*) + os=-coff + ;; ++ hexagon-*) ++ os=-elf ++ ;; + tic54x-*) + os=-coff + ;; diff -Nru gnupg-1.4.12/debian/patches/disable_mlock_test.patch gnupg-1.4.12/debian/patches/disable_mlock_test.patch --- gnupg-1.4.12/debian/patches/disable_mlock_test.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.12/debian/patches/disable_mlock_test.patch 2013-01-08 10:46:23.000000000 +0000 @@ -0,0 +1,22 @@ +Description: Disable mlock() test since it fails with ulimit 0 + This happens on Ubuntu buildds. +Author: Michael Bienia +Forwarded: no +Last-Update: 2012-12-04 + +Index: b/config.h.in +=================================================================== +--- a/config.h.in ++++ b/config.h.in +@@ -82,8 +82,11 @@ + /* Define if `gethrtime(2)' does not work correctly i.e. issues a SIGILL. */ + #undef HAVE_BROKEN_GETHRTIME + ++/* Test doesn't work, since ulimit is sometimes 0... */ ++#if 0 + /* Defined if the mlock() call does not work */ + #undef HAVE_BROKEN_MLOCK ++#endif + + /* Define to 1 if the compiler understands __builtin_expect. */ + #undef HAVE_BUILTIN_EXPECT diff -Nru gnupg-1.4.12/debian/patches/series gnupg-1.4.12/debian/patches/series --- gnupg-1.4.12/debian/patches/series 2013-01-02 18:53:35.000000000 +0000 +++ gnupg-1.4.12/debian/patches/series 2013-07-30 22:19:59.000000000 +0000 @@ -1,2 +1,6 @@ 685627_french_translation_update.patch CVE-2012-6085.patch +disable_mlock_test.patch +use_agent_default.patch +autoconfupdate.patch +CVE-2013-4242.diff diff -Nru gnupg-1.4.12/debian/patches/use_agent_default.patch gnupg-1.4.12/debian/patches/use_agent_default.patch --- gnupg-1.4.12/debian/patches/use_agent_default.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg-1.4.12/debian/patches/use_agent_default.patch 2013-01-08 10:46:23.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Use agent by default +Author: Scott Kitterman +Bug-Ubuntu: https://bugs.launchpad.net/bugs/15485 +Forwarded: no +Last-Update: 2012-12-04 + +Index: b/g10/options.skel +=================================================================== +--- a/g10/options.skel ++++ b/g10/options.skel +@@ -199,8 +199,12 @@ + # at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, + # you have to run an agent as daemon and use the option + # +-# use-agent +-# ++# For Ubuntu we now use-agent by default to support more automatic ++# use of GPG and S/MIME encryption by GUI programs. Depending on the ++# program, users may still have to manually decide to install gnupg-agent. ++ ++use-agent ++ + # which tries to use the agent but will fallback to the regular mode + # if there is a problem connecting to the agent. The normal way to + # locate the agent is by looking at the environment variable diff -Nru gnupg-1.4.12/debian/rules gnupg-1.4.12/debian/rules --- gnupg-1.4.12/debian/rules 2013-01-02 18:45:02.000000000 +0000 +++ gnupg-1.4.12/debian/rules 2013-01-08 10:46:23.000000000 +0000 @@ -90,7 +90,7 @@ build: build-arch build-arch: build-deb-stamp build-deb-curl-stamp build-udeb-stamp -build-indep: build-win32-stamp +build-indep: ##################################### clean ##################################