diffstat of debian/ for gnupg2_2.0.17-2 gnupg2_2.0.17-2ubuntu2.12.04.6 changelog | 176 control | 7 gnupg2.udev | 12 patches/0001-Screen-keyserver-responses.patch | 683 +++ patches/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch | 135 patches/0003-Add-kbnode_t-for-easier-backporting.patch | 25 patches/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch | 157 patches/Add-build-and-runtime-support-for-larger-RSA-key.patch | 160 patches/CVE-2012-6085.patch | 64 patches/CVE-2013-4351.patch | 63 patches/CVE-2013-4402.patch | 307 + patches/CVE-2014-4617.patch | 69 patches/CVE-2015-1606.patch | 71 patches/CVE-2015-1607.patch | 1876 ++++++++++ patches/debian-changes-2.0.17-2ubuntu1 | 893 ++++ patches/debian-changes-2.0.17-2ubuntu1.12.04.1 | 386 ++ patches/gnupg2-fix-libgcrypt.diff | 42 patches/long-keyids.diff | 47 patches/series | 15 rules | 4 20 files changed, 5187 insertions(+), 5 deletions(-) diff -Nru gnupg2-2.0.17/debian/changelog gnupg2-2.0.17/debian/changelog --- gnupg2-2.0.17/debian/changelog 2011-02-13 21:33:38.000000000 +0000 +++ gnupg2-2.0.17/debian/changelog 2015-03-27 12:20:18.000000000 +0000 @@ -1,3 +1,84 @@ +gnupg2 (2.0.17-2ubuntu2.12.04.6) precise-security; urgency=medium + + * Screen responses from keyservers (LP: #1409117) + - d/p/0001-Screen-keyserver-responses.patch + - d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch + - d/p/0003-Add-kbnode_t-for-easier-backporting.patch + - d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch + * Fix large key size regression from CVE-2014-5270 changes (LP: #1371766) + - d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch + - debian/rules: build with --enable-large-secmem + * SECURITY UPDATE: invalid memory read via invalid keyring + - debian/patches/CVE-2015-1606.patch: skip all packets not allowed in + a keyring in g10/keyring.c. + - CVE-2015-1606 + * SECURITY UPDATE: memcpy with overlapping ranges + - debian/patches/CVE-2015-1607.patch: use inline functions to convert + buffer data to scalars in common/iobuf.c, g10/build-packet.c, + g10/getkey.c, g10/keygen.c, g10/keyid.c, g10/main.h, g10/misc.c, + g10/parse-packet.c, g10/tdbio.c, g10/trustdb.c, include/host2net.h, + kbx/keybox-dump.c, kbx/keybox-openpgp.c, kbx/keybox-search.c, + kbx/keybox-update.c, scd/apdu.c, scd/app-openpgp.c, + scd/ccid-driver.c, scd/pcsc-wrapper.c, tools/ccidmon.c. + - CVE-2015-1607 + + -- Marc Deslauriers Fri, 27 Mar 2015 08:20:03 -0400 + +gnupg2 (2.0.17-2ubuntu2.12.04.4) precise-security; urgency=medium + + * SECURITY UPDATE: denial of service via uncompressing garbled packets + - debian/patches/CVE-2014-4617.patch: limit number of extra bytes in + g10/compress.c. + - CVE-2014-4617 + + -- Marc Deslauriers Thu, 26 Jun 2014 09:20:38 -0400 + +gnupg2 (2.0.17-2ubuntu2.12.04.3) precise-security; urgency=low + + * SECURITY UPDATE: incorrect no-usage-permitted flag handling + - debian/patches/CVE-2013-4351.patch: correctly handle empty key flags + in g10/getkey.c, g10/keygen.c, include/cipher.h. + - CVE-2013-4351 + * SECURITY UPDATE: denial of service via infinite recursion + - debian/patches/CVE-2013-4402.patch: set limits on number of filters + and nested packets in common/iobuf.c, g10/mainproc.c. + - CVE-2013-4402 + + -- Marc Deslauriers Mon, 07 Oct 2013 15:51:48 -0400 + +gnupg2 (2.0.17-2ubuntu2.12.04.2) precise-security; urgency=low + + * SECURITY UPDATE: keyring corruption via malformed key import + - debian/patches/CVE-2012-6085.patch: validate PKTTYPE in g10/import.c. + - CVE-2012-6085 + + -- Marc Deslauriers Tue, 08 Jan 2013 15:36:17 -0500 + +gnupg2 (2.0.17-2ubuntu2.12.04.1) precise-security; urgency=low + + * debian/patches/long-keyids.diff: Use the longest key ID available + when requesting a key from a key server. + + -- Marc Deslauriers Tue, 14 Aug 2012 13:12:12 -0400 + +gnupg2 (2.0.17-2ubuntu2) oneiric; urgency=low + + * debian/patches/gnupg2-fix-libgcrypt.diff: Fix assertion failure with + libgcrypt 1.5.0. (LP: #815190) + + -- Anders Kaseorg Sat, 23 Jul 2011 15:50:51 -0400 + +gnupg2 (2.0.17-2ubuntu1) oneiric; urgency=low + + * Merge from debian unstable. Remaining changes: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + . debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers. + . debian/rules: Call dh_installudev. + - debian/control: Rename Vcs-* to XS-Debian-Vcs-*. + + -- Marc Deslauriers Wed, 25 May 2011 14:27:35 -0400 + gnupg2 (2.0.17-2) unstable; urgency=low * debian/control: Add dependency on dpkg (>= 1.15.4) | install-info for @@ -27,6 +108,19 @@ -- Eric Dorland Sun, 13 Feb 2011 16:06:41 -0500 +gnupg2 (2.0.14-2ubuntu1) natty; urgency=low + + * Merge from debian unstable. Remaining changes: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + . debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers. + . debian/rules: Call dh_installudev. + - debian/control: Rename Vcs-* to XS-Debian-Vcs-*. + * debian/patches/CVE-2010-2547.patch: dropped, now in + 03-gpgsm-realloc.diff. + + -- Marc Deslauriers Tue, 16 Nov 2010 11:30:31 -0500 + gnupg2 (2.0.14-2) unstable; urgency=low * debian/*.lintian, debian/*.lintian-overrides, debian/rules: Rename @@ -45,6 +139,51 @@ -- Eric Dorland Sun, 25 Jul 2010 02:16:42 -0400 +gnupg2 (2.0.14-1.1ubuntu2) maverick; urgency=low + + * SECURITY UPDATE: denial of service and possible arbitrary code + execution via certificate with large number of Subject Alternate Names + - debian/patches/CVE-2010-2547.patch: fix use-after-free in + kbx/keybox-blob.c. + - CVE-2010-2547 + + -- Marc Deslauriers Wed, 11 Aug 2010 13:56:02 -0400 + +gnupg2 (2.0.14-1.1ubuntu1) maverick; urgency=low + + * Merge with Debian; remaining changes: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + . debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers. + . debian/rules: Call dh_installudev. + + -- Loïc Minier Tue, 15 Jun 2010 13:21:29 +0200 + +gnupg2 (2.0.14-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Added encode-s2k.patch(Encode the s2kcount and do not use a + static value of 96.(thanks to Werner Koch) (closes: #567926). + + -- Martijn van Brummelen Fri, 07 May 2010 06:23:55 +0200 + +gnupg2 (2.0.14-1ubuntu2) maverick; urgency=low + + * Drop Ubuntu patch from series, refresh debian/patches/debian-changes after + updating config.guess and config.sub with the Ubuntu version; fixes FTBFS + in Ubuntu. + * Rename Vcs-* to XS-Debian-Vcs-*. + + -- Loïc Minier Sun, 06 Jun 2010 15:11:15 +0200 + +gnupg2 (2.0.14-1ubuntu1) lucid; urgency=low + + * Merge with Debian testing (lp: #511356). Remaining changes: + - debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers. + - debian/rules: Call dh_installudev. + + -- Michael Bienia Fri, 22 Jan 2010 21:49:55 +0100 + gnupg2 (2.0.14-1) unstable; urgency=low * New upstream release. @@ -57,6 +196,15 @@ -- Eric Dorland Sat, 09 Jan 2010 21:15:18 -0500 +gnupg2 (2.0.13-1ubuntu1) lucid; urgency=low + + * Merge with Debian testing (lp: #477491). Remaining changes: + - Build-depend on libreadline-dev instead of libreadline5-dev. + - debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers. + - debian/rules: Call dh_installudev. + + -- Michael Bienia Sat, 07 Nov 2009 13:12:03 +0100 + gnupg2 (2.0.13-1) unstable; urgency=low * New upstream release. @@ -81,6 +229,31 @@ -- Eric Dorland Sun, 23 Aug 2009 20:48:11 -0400 +gnupg2 (2.0.12-0ubuntu2) karmic; urgency=low + + * Build-depend on libreadline-dev instead of libreadline5-dev. + + -- Matthias Klose Sat, 19 Sep 2009 22:56:12 +0200 + +gnupg2 (2.0.12-0ubuntu1) karmic; urgency=low + + * New upstream release. + * Add 01-scd-pw2.patch, 03-opgp-writekey.patch, and 06-opgp-sign3072.patch + from https://bugs.g10code.com/gnupg/issue1094 to make OpenPGP 2.0 + smartcards work. + + -- Soren Hansen Tue, 04 Aug 2009 12:27:49 +0100 + +gnupg2 (2.0.11-1ubuntu1) karmic; urgency=low + + * debian/gnupg2.udev: + Add udev rules to set ACLs on SCM smartcard readers. They replace the hal + rules for the same purpose. (LP: #57755) + * debian/rules: + Call dh_installudev. + + -- Michael Bienia Fri, 03 Jul 2009 15:35:47 +0200 + gnupg2 (2.0.11-1) unstable; urgency=low * New upstream release. (Closes: #496663) @@ -535,7 +708,7 @@ id not found". Closes: #229549 -- James Troup Fri, 20 Feb 2004 16:38:12 +0000 - + gnupg (1.2.4-2) unstable; urgency=low * mpi/hppa1.1/udiv-qrnnd.S: patch from LaMont Jones @@ -1130,3 +1303,4 @@ * Initial release. -- James Troup Fri, 20 Feb 1998 02:05:34 +0000 + diff -Nru gnupg2-2.0.17/debian/control gnupg2-2.0.17/debian/control --- gnupg2-2.0.17/debian/control 2011-02-13 21:33:38.000000000 +0000 +++ gnupg2-2.0.17/debian/control 2011-08-24 10:25:36.000000000 +0000 @@ -1,11 +1,12 @@ Source: gnupg2 Section: utils Priority: optional -Maintainer: Eric Dorland +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Eric Dorland Standards-Version: 3.9.1 Build-Depends: debhelper (>= 8), dh-autoreconf, autopoint, gettext, zlib1g-dev | libz-dev, libldap2-dev, file, libbz2-dev, libgpg-error-dev (>= 1.7), libassuan-dev (>= 2.0), libgcrypt11-dev (>= 1.4.0), libksba-dev (>= 1.0.7),libpth-dev, libusb-dev, texinfo, transfig, ghostscript, libreadline-dev, libcurl4-gnutls-dev, hardening-wrapper -Vcs-Git: git://git.debian.org/~eric/gnupg2.git -Vcs-Browser: http://git.debian.org/?p=users/eric/gnupg2.git +XS-Debian-Vcs-Git: git://git.debian.org/~eric/gnupg2.git +XS-Debian-Vcs-Browser: http://git.debian.org/?p=users/eric/gnupg2.git Homepage: http://www.gnupg.org/ Package: gnupg-agent diff -Nru gnupg2-2.0.17/debian/gnupg2.udev gnupg2-2.0.17/debian/gnupg2.udev --- gnupg2-2.0.17/debian/gnupg2.udev 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/gnupg2.udev 2011-08-24 10:25:36.000000000 +0000 @@ -0,0 +1,12 @@ +# do not edit this file, it will be overwritten on update + +SUBSYSTEM!="usb", GOTO="gnupg_rules_end" +ACTION!="add", GOTO="gnupg_rules_end" + +# USB SmartCard Readers +## SCM readers (SCR335, SPR532, & Co) +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" +ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg" + +LABEL="gnupg_rules_end" diff -Nru gnupg2-2.0.17/debian/patches/0001-Screen-keyserver-responses.patch gnupg2-2.0.17/debian/patches/0001-Screen-keyserver-responses.patch --- gnupg2-2.0.17/debian/patches/0001-Screen-keyserver-responses.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/0001-Screen-keyserver-responses.patch 2015-03-25 20:30:11.000000000 +0000 @@ -0,0 +1,683 @@ +From 5e933008beffbeae7255ece02383606481f9c169 Mon Sep 17 00:00:00 2001 +From: Stefan Tomanek +Date: Thu, 30 Jan 2014 00:57:43 +0100 +Subject: [PATCH] gpg: Screen keyserver responses. + +* g10/main.h (import_filter_t): New. +* g10/import.c (import): Add filter callbacks to param list. +(import_one): Ditto. +(import_secret_one): Ditto. +(import_keys_internal): Ditto. +(import_keys_stream): Ditto. +* g10/keyserver.c (keyserver_retrieval_filter): New. +(keyserver_spawn): Pass filter to import_keys_stream() + +-- +These changes introduces import functions that apply a constraining +filter to imported keys. These filters can verify the fingerprints of +the keys returned before importing them into the keyring, ensuring that +the keys fetched from the keyserver are in fact those selected by the +user beforehand. + +Signed-off-by: Stefan Tomanek + +Re-indention and minor changes by wk. + +Resolved conflicts: + g10/import.c + g10/keyserver.c + g10/main.h +--- + g10/import.c | 158 +++++++++++++++++++++++++++++++++----------------------- + g10/keyserver.c | 77 ++++++++++++++++++++++----- + g10/main.h | 9 +++- + 3 files changed, 164 insertions(+), 80 deletions(-) + +Index: gnupg2-2.0.17/g10/import.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/import.c 2015-03-25 16:26:21.244166566 -0400 ++++ gnupg2-2.0.17/g10/import.c 2015-03-25 16:26:21.244166566 -0400 +@@ -59,14 +59,17 @@ + + + static int import( IOBUF inp, const char* fname,struct stats_s *stats, +- unsigned char **fpr,size_t *fpr_len,unsigned int options ); ++ unsigned char **fpr,size_t *fpr_len,unsigned int options, ++ import_filter_t filter, void *filter_arg ); + static int read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ); + static void revocation_present(KBNODE keyblock); + static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats, + unsigned char **fpr,size_t *fpr_len, +- unsigned int options,int from_sk); ++ unsigned int options,int from_sk, ++ import_filter_t filter, void *filter_arg); + static int import_secret_one( const char *fname, KBNODE keyblock, +- struct stats_s *stats, unsigned int options); ++ struct stats_s *stats, unsigned int options, ++ import_filter_t filter, void *filter_arg); + static int import_revoke_cert( const char *fname, KBNODE node, + struct stats_s *stats); + static int chk_self_sigs( const char *fname, KBNODE keyblock, +@@ -163,7 +166,8 @@ + static int + import_keys_internal( IOBUF inp, char **fnames, int nnames, + void *stats_handle, unsigned char **fpr, size_t *fpr_len, +- unsigned int options ) ++ unsigned int options, ++ import_filter_t filter, void *filter_arg) + { + int i, rc = 0; + struct stats_s *stats = stats_handle; +@@ -172,7 +176,8 @@ + stats = import_new_stats_handle (); + + if (inp) { +- rc = import( inp, "[stream]", stats, fpr, fpr_len, options); ++ rc = import (inp, "[stream]", stats, fpr, fpr_len, options, ++ filter, filter_arg); + } + else { + int once = (!fnames && !nnames); +@@ -192,7 +197,8 @@ + log_error(_("can't open `%s': %s\n"), fname, strerror(errno) ); + else + { +- rc = import( inp2, fname, stats, fpr, fpr_len, options ); ++ rc = import (inp2, fname, stats, fpr, fpr_len, options, ++ NULL, NULL); + iobuf_close(inp2); + /* Must invalidate that ugly cache to actually close it. */ + iobuf_ioctl (NULL, 2, 0, (char*)fname); +@@ -223,24 +229,27 @@ + import_keys( char **fnames, int nnames, + void *stats_handle, unsigned int options ) + { +- import_keys_internal(NULL,fnames,nnames,stats_handle,NULL,NULL,options); ++ import_keys_internal (NULL, fnames, nnames, stats_handle, NULL, NULL, ++ options, NULL, NULL); + } + + int + import_keys_stream( IOBUF inp, void *stats_handle, +- unsigned char **fpr, size_t *fpr_len,unsigned int options ) ++ unsigned char **fpr, size_t *fpr_len,unsigned int options, ++ import_filter_t filter, void *filter_arg) + { +- return import_keys_internal(inp,NULL,0,stats_handle,fpr,fpr_len,options); ++ return import_keys_internal (inp, NULL, 0, stats_handle, fpr, fpr_len, ++ options, filter, filter_arg); + } + ++ + static int +-import( IOBUF inp, const char* fname,struct stats_s *stats, +- unsigned char **fpr,size_t *fpr_len,unsigned int options ) ++import (IOBUF inp, const char* fname,struct stats_s *stats, ++ unsigned char **fpr, size_t *fpr_len, unsigned int options, ++ import_filter_t filter, void *filter_arg) + { + PACKET *pending_pkt = NULL; +- KBNODE keyblock = NULL; /* Need to initialize because gcc can't +- grasp the return semantics of +- read_block. */ ++ KBNODE keyblock = NULL; + int rc = 0; + + getkey_disable_caches(); +@@ -256,9 +265,11 @@ + + while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) { + if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY ) +- rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0); +- else if( keyblock->pkt->pkttype == PKT_SECRET_KEY ) +- rc = import_secret_one( fname, keyblock, stats, options ); ++ rc = import_one (fname, keyblock, stats, fpr, fpr_len, options, 0, ++ filter, filter_arg); ++ else if( keyblock->pkt->pkttype == PKT_SECRET_KEY ) ++ rc = import_secret_one (fname, keyblock, stats, options, ++ filter, filter_arg); + else if( keyblock->pkt->pkttype == PKT_SIGNATURE + && keyblock->pkt->pkt.signature->sig_class == 0x20 ) + rc = import_revoke_cert( fname, keyblock, stats ); +@@ -634,7 +645,7 @@ + KBNODE node; + PKT_public_key *pk; + int problem=0; +- ++ + merge_keys_and_selfsig(keyblock); + pk=keyblock->pkt->pkt.public_key; + +@@ -659,9 +670,9 @@ + { + if (openpgp_cipher_test_algo (prefs->value)) + { +- const char *algo = ++ const char *algo = + (openpgp_cipher_test_algo (prefs->value) +- ? num ++ ? num + : openpgp_cipher_algo_name (prefs->value)); + if(!problem) + check_prefs_warning(pk); +@@ -676,7 +687,7 @@ + { + const char *algo = + (gcry_md_test_algo (prefs->value) +- ? num ++ ? num + : gcry_md_algo_name (prefs->value)); + if(!problem) + check_prefs_warning(pk); +@@ -745,7 +756,7 @@ + static int + import_one( const char *fname, KBNODE keyblock, struct stats_s *stats, + unsigned char **fpr,size_t *fpr_len,unsigned int options, +- int from_sk ) ++ int from_sk, import_filter_t filter, void *filter_arg) + { + PKT_public_key *pk; + PKT_public_key *pk_orig; +@@ -787,7 +798,14 @@ + log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); + return 0; + } +- ++ ++ if (filter && filter (pk, NULL, filter_arg)) ++ { ++ log_error (_("key %s: %s\n"), keystr_from_pk(pk), ++ _("rejected by import filter")); ++ return 0; ++ } ++ + if (opt.interactive) { + if(is_status_enabled()) + print_import_check (pk, uidnode->pkt->pkt.user_id); +@@ -924,7 +942,7 @@ + size_t an; + + fingerprint_from_pk (pk_orig, afp, &an); +- while (an < MAX_FINGERPRINT_LEN) ++ while (an < MAX_FINGERPRINT_LEN) + afp[an++] = 0; + rc = keydb_search_fpr (hd, afp); + } +@@ -948,7 +966,7 @@ + n_sigs_cleaned = fix_bad_direct_key_sigs (keyblock_orig, keyid); + if (n_sigs_cleaned) + commit_kbnode (&keyblock_orig); +- ++ + /* and try to merge the block */ + clear_kbnode_flags( keyblock_orig ); + clear_kbnode_flags( keyblock ); +@@ -1018,14 +1036,14 @@ + stats->n_sigs_cleaned +=n_sigs_cleaned; + stats->n_uids_cleaned +=n_uids_cleaned; + +- if (is_status_enabled ()) ++ if (is_status_enabled ()) + print_import_ok (pk, NULL, + ((n_uids?2:0)|(n_sigs?4:0)|(n_subk?8:0))); + } + else + { + same_key = 1; +- if (is_status_enabled ()) ++ if (is_status_enabled ()) + print_import_ok (pk, NULL, 0); + + if( !opt.quiet ) +@@ -1165,15 +1183,16 @@ + * with the trust calculation. + */ + static int +-import_secret_one( const char *fname, KBNODE keyblock, +- struct stats_s *stats, unsigned int options) ++import_secret_one (const char *fname, KBNODE keyblock, ++ struct stats_s *stats, unsigned int options, ++ import_filter_t filter, void *filter_arg) + { + PKT_secret_key *sk; + KBNODE node, uidnode; + u32 keyid[2]; + int rc = 0; + +- /* get the key and print some info about it */ ++ /* Get the key and print some info about it. */ + node = find_kbnode( keyblock, PKT_SECRET_KEY ); + if( !node ) + BUG(); +@@ -1182,6 +1201,12 @@ + keyid_from_sk( sk, keyid ); + uidnode = find_next_kbnode( keyblock, PKT_USER_ID ); + ++ if (filter && filter (NULL, sk, filter_arg)) { ++ log_error (_("secret key %s: %s\n"), keystr_from_sk(sk), ++ _("rejected by import filter")); ++ return 0; ++ } ++ + if( opt.verbose ) + { + log_info( "sec %4u%c/%s %s ", +@@ -1217,8 +1242,8 @@ + log_error (_("importing secret keys not allowed\n")); + return 0; + } +-#endif +- ++#endif ++ + clear_kbnode_flags( keyblock ); + + /* do we have this key already in one of our secrings ? */ +@@ -1244,7 +1269,7 @@ + if( !opt.quiet ) + log_info( _("key %s: secret key imported\n"), keystr_from_sk(sk)); + stats->secret_imported++; +- if (is_status_enabled ()) ++ if (is_status_enabled ()) + print_import_ok (NULL, sk, 1|16); + + if(options&IMPORT_SK2PK) +@@ -1254,8 +1279,9 @@ + KBNODE pub_keyblock=sec_to_pub_keyblock(keyblock); + if(pub_keyblock) + { +- import_one(fname,pub_keyblock,stats, +- NULL,NULL,opt.import_options,1); ++ import_one (fname, pub_keyblock, stats, ++ NULL, NULL, opt.import_options, 1, ++ NULL, NULL); + release_kbnode(pub_keyblock); + } + } +@@ -1275,7 +1301,7 @@ + log_error( _("key %s: already in secret keyring\n"), + keystr_from_sk(sk)); + stats->secret_dups++; +- if (is_status_enabled ()) ++ if (is_status_enabled ()) + print_import_ok (NULL, sk, 16); + + /* TODO: if we ever do merge secret keys, make sure to handle +@@ -1331,9 +1357,9 @@ + { + byte afp[MAX_FINGERPRINT_LEN]; + size_t an; +- ++ + fingerprint_from_pk (pk, afp, &an); +- while (an < MAX_FINGERPRINT_LEN) ++ while (an < MAX_FINGERPRINT_LEN) + afp[an++] = 0; + rc = keydb_search_fpr (hd, afp); + } +@@ -1429,11 +1455,11 @@ + int rc; + u32 bsdate=0,rsdate=0; + KBNODE bsnode = NULL, rsnode = NULL; +- ++ + (void)fname; + (void)pk; + +- for (n=keyblock; (n = find_next_kbnode (n, 0)); ) ++ for (n=keyblock; (n = find_next_kbnode (n, 0)); ) + { + if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY) + { +@@ -1447,7 +1473,7 @@ + + if ( n->pkt->pkttype != PKT_SIGNATURE ) + continue; +- ++ + sig = n->pkt->pkt.signature; + if ( keyid[0] != sig->keyid[0] || keyid[1] != sig->keyid[1] ) + { +@@ -1459,7 +1485,7 @@ + import a fully-cached key which speeds things up. */ + if (!opt.no_sig_cache) + check_key_signature (keyblock, n, NULL); +- ++ + if ( IS_UID_SIG(sig) || IS_UID_REV(sig) ) + { + KBNODE unode = find_prev_kbnode( keyblock, n, PKT_USER_ID ); +@@ -1469,16 +1495,16 @@ + keystr(keyid)); + return -1; /* The complete keyblock is invalid. */ + } +- ++ + /* If it hasn't been marked valid yet, keep trying. */ +- if (!(unode->flag&1)) ++ if (!(unode->flag&1)) + { + rc = check_key_signature (keyblock, n, NULL); + if ( rc ) + { + if ( opt.verbose ) + { +- char *p = utf8_to_native ++ char *p = utf8_to_native + (unode->pkt->pkt.user_id->name, + strlen (unode->pkt->pkt.user_id->name),0); + log_info (gpg_err_code(rc) == G10ERR_PUBKEY_ALGO ? +@@ -1507,7 +1533,7 @@ + n->flag |= 4; + } + } +- else if ( IS_SUBKEY_SIG (sig) ) ++ else if ( IS_SUBKEY_SIG (sig) ) + { + /* Note that this works based solely on the timestamps like + the rest of gpg. If the standard gets revocation +@@ -1536,19 +1562,19 @@ + else + { + /* It's valid, so is it newer? */ +- if (sig->timestamp >= bsdate) ++ if (sig->timestamp >= bsdate) + { + knode->flag |= 1; /* The subkey is valid. */ + if (bsnode) + { + /* Delete the last binding sig since this + one is newer */ +- bsnode->flag |= 4; ++ bsnode->flag |= 4; + if (opt.verbose) + log_info (_("key %s: removed multiple subkey" + " binding\n"),keystr(keyid)); + } +- ++ + bsnode = n; + bsdate = sig->timestamp; + } +@@ -1593,12 +1619,12 @@ + { + /* Delete the last revocation sig since + this one is newer. */ +- rsnode->flag |= 4; ++ rsnode->flag |= 4; + if (opt.verbose) + log_info (_("key %s: removed multiple subkey" + " revocation\n"),keystr(keyid)); + } +- ++ + rsnode = n; + rsdate = sig->timestamp; + } +@@ -2339,35 +2365,35 @@ + PACKET *pkt = xmalloc_clear (sizeof *pkt); + PKT_secret_key *sk = xmalloc_clear (sizeof *sk); + int i, n; +- ++ + if (pubnode->pkt->pkttype == PKT_PUBLIC_KEY) + pkt->pkttype = PKT_SECRET_KEY; + else + pkt->pkttype = PKT_SECRET_SUBKEY; +- ++ + pkt->pkt.secret_key = sk; + + copy_public_parts_to_secret_key ( pk, sk ); + sk->version = pk->version; + sk->timestamp = pk->timestamp; +- ++ + n = pubkey_get_npkey (pk->pubkey_algo); + if (!n) + n = 1; /* Unknown number of parameters, however the data + is stored in the first mpi. */ + for (i=0; i < n; i++ ) + sk->skey[i] = mpi_copy (pk->pkey[i]); +- ++ + sk->is_protected = 1; + sk->protect.s2k.mode = 1001; +- ++ + secnode = new_kbnode (pkt); + } + else + { + secnode = clone_kbnode (pubnode); + } +- ++ + if(!sec_keyblock) + sec_keyblock = secnode; + else +@@ -2381,12 +2407,12 @@ + /* Walk over the secret keyring SEC_KEYBLOCK and update any simple + stub keys with the serial number SNNUM of the card if one of the + fingerprints FPR1, FPR2 or FPR3 match. Print a note if the key is +- a duplicate (may happen in case of backed uped keys). +- ++ a duplicate (may happen in case of backed uped keys). ++ + Returns: True if anything changed. + */ + static int +-update_sec_keyblock_with_cardinfo (KBNODE sec_keyblock, ++update_sec_keyblock_with_cardinfo (KBNODE sec_keyblock, + const unsigned char *fpr1, + const unsigned char *fpr2, + const unsigned char *fpr3, +@@ -2406,7 +2432,7 @@ + && node->pkt->pkttype != PKT_SECRET_SUBKEY) + continue; + sk = node->pkt->pkt.secret_key; +- ++ + fingerprint_from_sk (sk, array, &n); + if (n != 20) + continue; /* Can't be a card key. */ +@@ -2456,7 +2482,7 @@ + exists, add appropriate subkey stubs and update the secring. + Return 0 if the key could be created. */ + int +-auto_create_card_key_stub ( const char *serialnostr, ++auto_create_card_key_stub ( const char *serialnostr, + const unsigned char *fpr1, + const unsigned char *fpr2, + const unsigned char *fpr3) +@@ -2467,7 +2493,7 @@ + int rc; + + /* We only want to do this for an OpenPGP card. */ +- if (!serialnostr || strncmp (serialnostr, "D27600012401", 12) ++ if (!serialnostr || strncmp (serialnostr, "D27600012401", 12) + || strlen (serialnostr) != 32 ) + return G10ERR_GENERAL; + +@@ -2478,7 +2504,7 @@ + ; + else + return G10ERR_GENERAL; +- ++ + hd = keydb_new (1); + + /* Now check whether there is a secret keyring. */ +@@ -2504,7 +2530,7 @@ + else + { + merge_keys_and_selfsig (sec_keyblock); +- ++ + /* FIXME: We need to add new subkeys first. */ + if (update_sec_keyblock_with_cardinfo (sec_keyblock, + fpr1, fpr2, fpr3, +@@ -2538,7 +2564,7 @@ + keydb_get_resource_name (hd), g10_errstr(rc) ); + } + } +- ++ + release_kbnode (sec_keyblock); + release_kbnode (pub_keyblock); + keydb_release (hd); +Index: gnupg2-2.0.17/g10/keyserver.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/keyserver.c 2015-03-25 16:26:21.244166566 -0400 ++++ gnupg2-2.0.17/g10/keyserver.c 2015-03-25 16:29:59.778115801 -0400 +@@ -974,10 +974,55 @@ + #define KEYSERVER_ARGS_KEEP " -o \"%O\" \"%I\"" + #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\"" + ++ ++/* Check whether a key matches the search description. The filter ++ returns 0 if the key shall be imported. Note that this kind of ++ filter is not related to the iobuf filters. */ + static int +-keyserver_spawn(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc, +- int count,int *prog,unsigned char **fpr,size_t *fpr_len, +- struct keyserver_spec *keyserver) ++keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, void *arg) ++{ ++ KEYDB_SEARCH_DESC *desc = arg; ++ u32 keyid[2]; ++ byte fpr[MAX_FINGERPRINT_LEN]; ++ size_t fpr_len = 0; ++ ++ /* Secret keys are not expected from a keyserver. Do not import. */ ++ if (sk) ++ return G10ERR_GENERAL; ++ ++ fingerprint_from_pk (pk, fpr, &fpr_len); ++ keyid_from_pk (pk, keyid); ++ ++ /* Compare requested and returned fingerprints if available. */ ++ if (desc->mode == KEYDB_SEARCH_MODE_FPR20) ++ { ++ if (fpr_len != 20 || memcmp (fpr, desc->u.fpr, 20)) ++ return G10ERR_GENERAL; ++ } ++ else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) ++ { ++ if (fpr_len != 16 || memcmp (fpr, desc->u.fpr, 16)) ++ return G10ERR_GENERAL; ++ } ++ else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) ++ { ++ if (keyid[0] != desc->u.kid[0] || keyid[1] != desc->u.kid[1]) ++ return G10ERR_GENERAL; ++ } ++ else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) ++ { ++ if (keyid[1] != desc->u.kid[1]) ++ return G10ERR_GENERAL; ++ } ++ ++ return 0; ++} ++ ++ ++static int ++keyserver_spawn (enum ks_action action, strlist_t list, KEYDB_SEARCH_DESC *desc, ++ int count, int *prog, unsigned char **fpr, size_t *fpr_len, ++ struct keyserver_spec *keyserver) + { + int ret=0,i,gotversion=0,outofband=0; + strlist_t temp; +@@ -1494,7 +1539,8 @@ + line-by-line and make a temp iobuf for each key. */ + + import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len, +- opt.keyserver_options.import_options); ++ opt.keyserver_options.import_options, ++ keyserver_retrieval_filter, desc); + + import_print_stats(stats_handle); + import_release_stats_handle(stats_handle); +@@ -1526,11 +1572,12 @@ + } + + static int +-keyserver_work(enum ks_action action,strlist_t list,KEYDB_SEARCH_DESC *desc, +- int count,unsigned char **fpr,size_t *fpr_len, +- struct keyserver_spec *keyserver) ++keyserver_work (enum ks_action action, strlist_t list, KEYDB_SEARCH_DESC *desc, ++ int count, unsigned char **fpr, size_t *fpr_len, ++ struct keyserver_spec *keyserver) + { +- int rc=0,ret=0; ++ int rc = 0; ++ int ret = 0; + + if(!keyserver) + { +@@ -1665,6 +1712,7 @@ + return rc; + } + ++ + int + keyserver_import_fprint(const byte *fprint,size_t fprint_len, + struct keyserver_spec *keyserver) +@@ -1701,11 +1749,14 @@ + return keyserver_work(KS_GET,NULL,&desc,1,NULL,NULL,keyserver); + } + +-/* code mostly stolen from do_export_stream */ ++ ++/* Code mostly stolen from do_export_stream */ + static int + keyidlist(strlist_t users,KEYDB_SEARCH_DESC **klist,int *count,int fakev3) + { +- int rc=0,ndesc,num=100; ++ int rc = 0; ++ int num = 100; ++ int ndesc; + KBNODE keyblock=NULL,node; + KEYDB_HANDLE kdbhd; + KEYDB_SEARCH_DESC *desc; +@@ -1858,6 +1909,7 @@ + /* Note this is different than the original HKP refresh. It allows + usernames to refresh only part of the keyring. */ + ++ + int + keyserver_refresh(strlist_t users) + { +@@ -2033,7 +2085,7 @@ + opt.no_armor=1; + + rc=import_keys_stream(key,NULL,fpr,fpr_len, +- opt.keyserver_options.import_options); ++ opt.keyserver_options.import_options, NULL, NULL); + + opt.no_armor=armor_status; + +Index: gnupg2-2.0.17/g10/main.h +=================================================================== +--- gnupg2-2.0.17.orig/g10/main.h 2015-03-25 16:26:21.244166566 -0400 ++++ gnupg2-2.0.17/g10/main.h 2015-03-25 16:26:21.244166566 -0400 +@@ -255,11 +255,16 @@ + gcry_md_hd_t md, int hash_algo ); + + /*-- import.c --*/ ++ ++typedef int (*import_filter_t)(PKT_public_key *pk, PKT_secret_key *sk, ++ void *arg); ++ + int parse_import_options(char *str,unsigned int *options,int noisy); + void import_keys( char **fnames, int nnames, + void *stats_hd, unsigned int options ); +-int import_keys_stream( iobuf_t inp,void *stats_hd,unsigned char **fpr, +- size_t *fpr_len,unsigned int options ); ++int import_keys_stream (iobuf_t inp, void *stats_hd, unsigned char **fpr, ++ size_t *fpr_len, unsigned int options, ++ import_filter_t filter, void *filter_arg); + void *import_new_stats_handle (void); + void import_release_stats_handle (void *p); + void import_print_stats (void *hd); diff -Nru gnupg2-2.0.17/debian/patches/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch gnupg2-2.0.17/debian/patches/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch --- gnupg2-2.0.17/debian/patches/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch 2015-03-25 20:32:03.000000000 +0000 @@ -0,0 +1,135 @@ +From 044847a0e2013a2833605c1a9f80cfa6ef353309 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 25 Jun 2014 14:33:34 +0200 +Subject: [PATCH] gpg: Make screening of keyserver result work with multi-key + commands. + +* g10/keyserver.c (ks_retrieval_filter_arg_s): new. +(keyserver_retrieval_filter): Use new struct and check all +descriptions. +(keyserver_spawn): Pass filter arg suing the new struct. +-- + +This is a fix for commit 5e933008. + +The old code did only work for a single key. It failed as soon as +several keys are specified ("gpg --refresh-keys" or "gpg --recv-key A +B C"). +--- + g10/keyserver.c | 68 ++++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 45 insertions(+), 23 deletions(-) + +Index: gnupg2-2.0.17/g10/keyserver.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/keyserver.c 2015-03-25 16:30:28.426371195 -0400 ++++ gnupg2-2.0.17/g10/keyserver.c 2015-03-25 16:31:55.519147417 -0400 +@@ -975,13 +975,25 @@ + #define KEYSERVER_ARGS_NOKEEP " -o \"%o\" \"%i\"" + + ++/* Structure to convey the arg to keyserver_retrieval_filter. */ ++struct ks_retrieval_filter_arg_s ++{ ++ KEYDB_SEARCH_DESC *desc; ++ int ndesc; ++}; ++ ++ + /* Check whether a key matches the search description. The filter + returns 0 if the key shall be imported. Note that this kind of + filter is not related to the iobuf filters. */ + static int +-keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, void *arg) ++keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, ++ void *opaque) + { +- KEYDB_SEARCH_DESC *desc = arg; ++ struct ks_retrieval_filter_arg_s *arg = opaque; ++ KEYDB_SEARCH_DESC *desc = arg->desc; ++ int ndesc = arg->ndesc; ++ int n; + u32 keyid[2]; + byte fpr[MAX_FINGERPRINT_LEN]; + size_t fpr_len = 0; +@@ -990,32 +1002,40 @@ + if (sk) + return G10ERR_GENERAL; + ++ if (!ndesc) ++ return 0; /* Okay if no description given. */ ++ + fingerprint_from_pk (pk, fpr, &fpr_len); + keyid_from_pk (pk, keyid); + + /* Compare requested and returned fingerprints if available. */ +- if (desc->mode == KEYDB_SEARCH_MODE_FPR20) +- { +- if (fpr_len != 20 || memcmp (fpr, desc->u.fpr, 20)) +- return G10ERR_GENERAL; +- } +- else if (desc->mode == KEYDB_SEARCH_MODE_FPR16) ++ for (n = 0; n < ndesc; n++) + { +- if (fpr_len != 16 || memcmp (fpr, desc->u.fpr, 16)) +- return G10ERR_GENERAL; +- } +- else if (desc->mode == KEYDB_SEARCH_MODE_LONG_KID) +- { +- if (keyid[0] != desc->u.kid[0] || keyid[1] != desc->u.kid[1]) +- return G10ERR_GENERAL; +- } +- else if (desc->mode == KEYDB_SEARCH_MODE_SHORT_KID) +- { +- if (keyid[1] != desc->u.kid[1]) +- return G10ERR_GENERAL; ++ if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20) ++ { ++ if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20)) ++ return 0; ++ } ++ else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16) ++ { ++ if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16)) ++ return 0; ++ } ++ else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID) ++ { ++ if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1]) ++ return 0; ++ } ++ else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID) ++ { ++ if (keyid[1] == desc[n].u.kid[1]) ++ return 0; ++ } ++ else ++ return 0; + } + +- return 0; ++ return G10ERR_GENERAL; + } + + +@@ -1528,6 +1548,7 @@ + case KS_GETNAME: + { + void *stats_handle; ++ struct ks_retrieval_filter_arg_s filterarg; + + stats_handle=import_new_stats_handle(); + +@@ -1537,10 +1558,11 @@ + gpg complain about "no valid OpenPGP data found". One + way to do this could be to continue parsing this + line-by-line and make a temp iobuf for each key. */ +- ++ filterarg.desc = desc; ++ filterarg.ndesc = count; + import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len, + opt.keyserver_options.import_options, +- keyserver_retrieval_filter, desc); ++ keyserver_retrieval_filter, &filterarg); + + import_print_stats(stats_handle); + import_release_stats_handle(stats_handle); diff -Nru gnupg2-2.0.17/debian/patches/0003-Add-kbnode_t-for-easier-backporting.patch gnupg2-2.0.17/debian/patches/0003-Add-kbnode_t-for-easier-backporting.patch --- gnupg2-2.0.17/debian/patches/0003-Add-kbnode_t-for-easier-backporting.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/0003-Add-kbnode_t-for-easier-backporting.patch 2015-03-25 20:32:19.000000000 +0000 @@ -0,0 +1,25 @@ +From 25d5480e98068f6dd15c70c9e58236c77037535d Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 6 Aug 2014 17:09:15 +0200 +Subject: [PATCH] gpg: Add kbnode_t for easier backporting. + +* g10/gpg.h (kbnode_t): New. +--- + g10/gpg.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/gpg.h b/g10/gpg.h +index 7049656..9cd84bb 100644 +--- a/g10/gpg.h ++++ b/g10/gpg.h +@@ -50,6 +50,7 @@ struct server_local_s; + + /* Object used to describe a keyblok node. */ + typedef struct kbnode_struct *KBNODE; ++typedef struct kbnode_struct *kbnode_t; + /* Object used for looking ob keys. */ + typedef struct keydb_search_desc KEYDB_SEARCH_DESC; + +-- +2.1.4 + diff -Nru gnupg2-2.0.17/debian/patches/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch gnupg2-2.0.17/debian/patches/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch --- gnupg2-2.0.17/debian/patches/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch 2015-03-25 20:34:40.000000000 +0000 @@ -0,0 +1,157 @@ +From 088f82c0b5e39687f70e44d3ab719854e808eeb6 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 6 Aug 2014 17:11:21 +0200 +Subject: [PATCH] gpg: Fix regression due to the keyserver import filter. + +* g10/keyserver.c (keyserver_retrieval_filter): Change args. Rewrite +to take subpakets in account. +* g10/import.c (import_one, import_secret_one): Pass keyblock to +filter. +-- + +GnuPG-bug-id: 1680 +--- + g10/import.c | 4 +-- + g10/keyserver.c | 76 ++++++++++++++++++++++++++++++++++----------------------- + g10/main.h | 3 +-- + 3 files changed, 49 insertions(+), 34 deletions(-) + +Index: gnupg2-2.0.17/g10/import.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/import.c 2015-03-25 16:32:28.911444953 -0400 ++++ gnupg2-2.0.17/g10/import.c 2015-03-25 16:32:28.907444918 -0400 +@@ -799,7 +799,7 @@ + return 0; + } + +- if (filter && filter (pk, NULL, filter_arg)) ++ if (filter && filter (keyblock, filter_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk(pk), + _("rejected by import filter")); +@@ -1201,7 +1201,7 @@ + keyid_from_sk( sk, keyid ); + uidnode = find_next_kbnode( keyblock, PKT_USER_ID ); + +- if (filter && filter (NULL, sk, filter_arg)) { ++ if (filter && filter (keyblock, filter_arg)) { + log_error (_("secret key %s: %s\n"), keystr_from_sk(sk), + _("rejected by import filter")); + return 0; +Index: gnupg2-2.0.17/g10/keyserver.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/keyserver.c 2015-03-25 16:32:28.911444953 -0400 ++++ gnupg2-2.0.17/g10/keyserver.c 2015-03-25 16:34:32.968549987 -0400 +@@ -987,52 +987,68 @@ + returns 0 if the key shall be imported. Note that this kind of + filter is not related to the iobuf filters. */ + static int +-keyserver_retrieval_filter (PKT_public_key *pk, PKT_secret_key *sk, +- void *opaque) ++keyserver_retrieval_filter (kbnode_t keyblock, void *opaque) + { + struct ks_retrieval_filter_arg_s *arg = opaque; + KEYDB_SEARCH_DESC *desc = arg->desc; + int ndesc = arg->ndesc; ++ kbnode_t node; ++ PKT_public_key *pk; + int n; + u32 keyid[2]; + byte fpr[MAX_FINGERPRINT_LEN]; + size_t fpr_len = 0; + +- /* Secret keys are not expected from a keyserver. Do not import. */ +- if (sk) +- return G10ERR_GENERAL; ++ /* Secret keys are not expected from a keyserver. We do not ++ care about secret subkeys because the import code takes care ++ of skipping them. Not allowing an import of a public key ++ with a secret subkey would make it too easy to inhibit the ++ downloading of a public key. Recall that keyservers do only ++ limited checks. */ ++ node = find_kbnode (keyblock, PKT_SECRET_KEY); ++ if (node) ++ return G10ERR_GENERAL; /* Do not import. */ + + if (!ndesc) + return 0; /* Okay if no description given. */ + +- fingerprint_from_pk (pk, fpr, &fpr_len); +- keyid_from_pk (pk, keyid); +- +- /* Compare requested and returned fingerprints if available. */ +- for (n = 0; n < ndesc; n++) ++ /* Loop over all key packets. */ ++ for (node = keyblock; node; node = node->next) + { +- if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20) +- { +- if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20)) +- return 0; +- } +- else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16) +- { +- if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16)) +- return 0; +- } +- else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID) +- { +- if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1]) +- return 0; +- } +- else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID) ++ if (node->pkt->pkttype != PKT_PUBLIC_KEY ++ && node->pkt->pkttype != PKT_PUBLIC_SUBKEY) ++ continue; ++ ++ pk = node->pkt->pkt.public_key; ++ fingerprint_from_pk (pk, fpr, &fpr_len); ++ keyid_from_pk (pk, keyid); ++ ++ /* Compare requested and returned fingerprints if available. */ ++ for (n = 0; n < ndesc; n++) + { +- if (keyid[1] == desc[n].u.kid[1]) +- return 0; ++ if (desc[n].mode == KEYDB_SEARCH_MODE_FPR20) ++ { ++ if (fpr_len == 20 && !memcmp (fpr, desc[n].u.fpr, 20)) ++ return 0; ++ } ++ else if (desc[n].mode == KEYDB_SEARCH_MODE_FPR16) ++ { ++ if (fpr_len == 16 && !memcmp (fpr, desc[n].u.fpr, 16)) ++ return 0; ++ } ++ else if (desc[n].mode == KEYDB_SEARCH_MODE_LONG_KID) ++ { ++ if (keyid[0] == desc[n].u.kid[0] && keyid[1] == desc[n].u.kid[1]) ++ return 0; ++ } ++ else if (desc[n].mode == KEYDB_SEARCH_MODE_SHORT_KID) ++ { ++ if (keyid[1] == desc[n].u.kid[1]) ++ return 0; ++ } ++ else /* No keyid or fingerprint - can't check. */ ++ return 0; /* allow import. */ + } +- else +- return 0; + } + + return G10ERR_GENERAL; +Index: gnupg2-2.0.17/g10/main.h +=================================================================== +--- gnupg2-2.0.17.orig/g10/main.h 2015-03-25 16:32:28.911444953 -0400 ++++ gnupg2-2.0.17/g10/main.h 2015-03-25 16:32:28.907444918 -0400 +@@ -256,8 +256,7 @@ + + /*-- import.c --*/ + +-typedef int (*import_filter_t)(PKT_public_key *pk, PKT_secret_key *sk, +- void *arg); ++typedef int (*import_filter_t)(kbnode_t keyblock, void *arg); + + int parse_import_options(char *str,unsigned int *options,int noisy); + void import_keys( char **fnames, int nnames, diff -Nru gnupg2-2.0.17/debian/patches/Add-build-and-runtime-support-for-larger-RSA-key.patch gnupg2-2.0.17/debian/patches/Add-build-and-runtime-support-for-larger-RSA-key.patch --- gnupg2-2.0.17/debian/patches/Add-build-and-runtime-support-for-larger-RSA-key.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/Add-build-and-runtime-support-for-larger-RSA-key.patch 2015-03-27 12:19:57.000000000 +0000 @@ -0,0 +1,160 @@ +From f952fe8c6ddf13ecca14ca72a27d1f8da6adc901 Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor +Date: Fri, 3 Oct 2014 13:59:34 -0400 +Subject: [PATCH] gpg: Add build and runtime support for larger RSA keys + +* configure.ac: Added --enable-large-secmem option. +* g10/options.h: Add opt.flags.large_rsa. +* g10/gpg.c: Contingent on configure option: adjust secmem size, +add gpg --enable-large-rsa, bound to opt.flags.large_rsa. +* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa +* doc/gpg.texi: Document --enable-large-rsa. + +-- + +This is a cherry-pick of 534e2876acc05f9f8d9b54c18511fe768d77dfb5 from +STABLE-BRANCH-1-4 against STABLE-BRANCH-2-0 + +Some older implementations built and used RSA keys up to 16Kib, but +the larger secret keys now fail when used by more recent GnuPG, due to +secure memory limitations. + +Building with ./configure --enable-large-secmem will make gpg +capable of working with those secret keys, as well as permitting the +use of a new gpg option --enable-large-rsa, which let gpg generate RSA +keys up to 8Kib when used with --batch --gen-key. + +Debian-bug-id: 739424 + +Minor edits by wk. + +GnuPG-bug-id: 1732 +--- + configure.ac | 17 +++++++++++++++++ + doc/gpg.texi | 9 +++++++++ + g10/gpg.c | 22 +++++++++++++++++++++- + g10/keygen.c | 5 +++-- + g10/options.h | 1 + + 5 files changed, 51 insertions(+), 3 deletions(-) + +Index: gnupg2-2.0.17/configure.ac +=================================================================== +--- gnupg2-2.0.17.orig/configure.ac 2015-03-25 16:34:55.164747639 -0400 ++++ gnupg2-2.0.17/configure.ac 2015-03-25 16:34:55.160747604 -0400 +@@ -79,6 +79,7 @@ + disable_keyserver_path=no + use_ccid_driver=yes + use_standard_socket=no ++large_secmem=no + + GNUPG_BUILD_PROGRAM(gpg, yes) + GNUPG_BUILD_PROGRAM(gpgsm, yes) +@@ -171,6 +172,22 @@ + selinux_support=$enableval, selinux_support=no) + AC_MSG_RESULT($selinux_support) + ++ ++AC_MSG_CHECKING([whether to allocate extra secure memory]) ++AC_ARG_ENABLE(large-secmem, ++ AC_HELP_STRING([--enable-large-secmem], ++ [allocate extra secure memory]), ++ large_secmem=$enableval, large_secmem=no) ++AC_MSG_RESULT($large_secmem) ++if test "$large_secmem" = yes ; then ++ SECMEM_BUFFER_SIZE=65536 ++else ++ SECMEM_BUFFER_SIZE=32768 ++fi ++AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, ++ [Size of secure memory buffer]) ++ ++ + # Allow disabling of bzib2 support. + # It is defined only after we confirm the library is available later + AC_MSG_CHECKING([whether to enable the BZIP2 compression algorithm]) +Index: gnupg2-2.0.17/doc/gpg.texi +=================================================================== +--- gnupg2-2.0.17.orig/doc/gpg.texi 2015-03-25 16:34:55.164747639 -0400 ++++ gnupg2-2.0.17/doc/gpg.texi 2015-03-25 16:34:55.160747604 -0400 +@@ -1129,6 +1129,15 @@ + validation. This option is only meaningful if pka-lookups is set. + @end table + ++@item --enable-large-rsa ++@itemx --disable-large-rsa ++@opindex enable-large-rsa ++@opindex disable-large-rsa ++With --gen-key and --batch, enable the creation of larger RSA secret ++keys than is generally recommended (up to 8192 bits). These large ++keys are more expensive to use, and their signatures and ++certifications are also larger. ++ + @item --enable-dsa2 + @itemx --disable-dsa2 + Enable hash truncation for all DSA keys even for old DSA Keys up to +Index: gnupg2-2.0.17/g10/gpg.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/gpg.c 2015-03-25 16:34:55.164747639 -0400 ++++ gnupg2-2.0.17/g10/gpg.c 2015-03-25 16:35:29.297051547 -0400 +@@ -359,6 +359,8 @@ + oAutoKeyLocate, + oNoAutoKeyLocate, + oAllowMultisigVerification, ++ oEnableLargeRSA, ++ oDisableLargeRSA, + oEnableDSA2, + oDisableDSA2, + oAllowMultipleMessages, +@@ -734,6 +736,8 @@ + + ARGPARSE_s_n (oAllowMultisigVerification, + "allow-multisig-verification", "@"), ++ ARGPARSE_s_n (oEnableLargeRSA, "enable-large-rsa", "@"), ++ ARGPARSE_s_n (oDisableLargeRSA, "disable-large-rsa", "@"), + ARGPARSE_s_n (oEnableDSA2, "enable-dsa2", "@"), + ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"), + ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), +@@ -2050,7 +2054,7 @@ + #endif + + /* Initialize the secure memory. */ +- if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0)) ++ if (!gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0)) + got_secmem = 1; + #if defined(HAVE_GETUID) && defined(HAVE_GETEUID) + /* There should be no way to get to this spot while still carrying +@@ -2932,6 +2936,22 @@ + release_akl(); + break; + ++ case oEnableLargeRSA: ++#if SECMEM_BUFFER_SIZE >= 65536 ++ opt.flags.large_rsa=1; ++#else ++ if (configname) ++ log_info("%s:%d: WARNING: gpg not built with large secure " ++ "memory buffer. Ignoring enable-large-rsa\n", ++ configname,configlineno); ++ else ++ log_info("WARNING: gpg not built with large secure " ++ "memory buffer. Ignoring --enable-large-rsa\n"); ++#endif /* SECMEM_BUFFER_SIZE >= 65536 */ ++ break; ++ case oDisableLargeRSA: opt.flags.large_rsa=0; ++ break; ++ + case oEnableDSA2: opt.flags.dsa2=1; break; + case oDisableDSA2: opt.flags.dsa2=0; break; + +Index: gnupg2-2.0.17/g10/options.h +=================================================================== +--- gnupg2-2.0.17.orig/g10/options.h 2015-03-25 16:34:55.164747639 -0400 ++++ gnupg2-2.0.17/g10/options.h 2015-03-25 16:34:55.164747639 -0400 +@@ -227,6 +227,7 @@ + unsigned int utf8_filename:1; + unsigned int dsa2:1; + unsigned int allow_multiple_messages:1; ++ unsigned int large_rsa:1; + } flags; + + /* Linked list of ways to find a key if the key isn't on the local diff -Nru gnupg2-2.0.17/debian/patches/CVE-2012-6085.patch gnupg2-2.0.17/debian/patches/CVE-2012-6085.patch --- gnupg2-2.0.17/debian/patches/CVE-2012-6085.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/CVE-2012-6085.patch 2013-01-08 20:36:12.000000000 +0000 @@ -0,0 +1,64 @@ +From 498882296ffac7987c644aaf2a0aa108a2925471 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Thu, 20 Dec 2012 09:43:41 +0100 +Subject: [PATCH] gpg: Import only packets which are allowed in a keyblock. + +* g10/import.c (valid_keyblock_packet): New. +(read_block): Store only valid packets. +-- + +A corrupted key, which for example included a mangled public key +encrypted packet, used to corrupt the keyring. This change skips all +packets which are not allowed in a keyblock. + +GnuPG-bug-id: 1455 + +(cherry-picked from commit 3a4b96e665fa639772854058737ee3d54ba0694e) +--- + g10/import.c | 23 ++++++++++++++++++++++- + 1 files changed, 22 insertions(+), 1 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index ba2439d..ad112d6 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -347,6 +347,27 @@ import_print_stats (void *hd) + } + + ++/* Return true if PKTTYPE is valid in a keyblock. */ ++static int ++valid_keyblock_packet (int pkttype) ++{ ++ switch (pkttype) ++ { ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_SIGNATURE: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_RING_TRUST: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++ + /**************** + * Read the next keyblock from stream A. + * PENDING_PKT should be initialzed to NULL +@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) + } + in_cert = 1; + default: +- if( in_cert ) { ++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) { + if( !root ) + root = new_kbnode( pkt ); + else +-- +1.7.2.5 + diff -Nru gnupg2-2.0.17/debian/patches/CVE-2013-4351.patch gnupg2-2.0.17/debian/patches/CVE-2013-4351.patch --- gnupg2-2.0.17/debian/patches/CVE-2013-4351.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/CVE-2013-4351.patch 2013-10-07 19:51:37.000000000 +0000 @@ -0,0 +1,63 @@ +Description: fix incorrect no-usage-permitted flag handling +Origin: backported from GnuPG 2.0.22 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722724 + +Index: gnupg2-2.0.17/g10/getkey.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/getkey.c 2013-10-07 15:45:47.993157994 -0400 ++++ gnupg2-2.0.17/g10/getkey.c 2013-10-07 15:45:47.989157994 -0400 +@@ -1553,13 +1553,19 @@ + + if(flags) + key_usage |= PUBKEY_USAGE_UNKNOWN; ++ ++ if (!key_usage) ++ key_usage |= PUBKEY_USAGE_NONE; + } ++ else if (p) /* Key flags of length zero. */ ++ key_usage |= PUBKEY_USAGE_NONE; + + /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a + capability that we do not handle. This serves to distinguish + between a zero key usage which we handle as the default + capabilities for that algorithm, and a usage that we do not +- handle. */ ++ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that ++ key_flags have been given but they do not specify any usage. */ + + return key_usage; + } +Index: gnupg2-2.0.17/g10/keygen.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/keygen.c 2013-10-07 15:45:47.993157994 -0400 ++++ gnupg2-2.0.17/g10/keygen.c 2013-10-07 15:45:47.989157994 -0400 +@@ -219,9 +219,6 @@ + if (use & PUBKEY_USAGE_AUTH) + buf[0] |= 0x20; + +- if (!buf[0]) +- return; +- + build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1); + } + +Index: gnupg2-2.0.17/include/cipher.h +=================================================================== +--- gnupg2-2.0.17.orig/include/cipher.h 2013-10-07 15:45:47.993157994 -0400 ++++ gnupg2-2.0.17/include/cipher.h 2013-10-07 15:45:47.989157994 -0400 +@@ -60,9 +60,14 @@ + + #define PUBKEY_USAGE_SIG GCRY_PK_USAGE_SIGN /* Good for signatures. */ + #define PUBKEY_USAGE_ENC GCRY_PK_USAGE_ENCR /* Good for encryption. */ +-#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */ ++#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys.*/ + #define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */ + #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */ ++#define PUBKEY_USAGE_NONE 256 /* No usage given. */ ++#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \ ++ | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256 ++# error Please choose another value for PUBKEY_USAGE_NONE ++#endif + + #define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5 + #define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1 diff -Nru gnupg2-2.0.17/debian/patches/CVE-2013-4402.patch gnupg2-2.0.17/debian/patches/CVE-2013-4402.patch --- gnupg2-2.0.17/debian/patches/CVE-2013-4402.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/CVE-2013-4402.patch 2013-10-07 19:51:42.000000000 +0000 @@ -0,0 +1,307 @@ +Description: fix denial of service via infinite recursion +Origin: backported from GnuPG 2.0.22 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725433 + +Index: gnupg2-2.0.17/common/iobuf.c +=================================================================== +--- gnupg2-2.0.17.orig/common/iobuf.c 2013-10-07 15:46:12.505157761 -0400 ++++ gnupg2-2.0.17/common/iobuf.c 2013-10-07 15:46:12.501157761 -0400 +@@ -52,6 +52,10 @@ + be aware that there is no fsync support for the stdio backend. */ + #undef FILE_FILTER_USES_STDIO + ++/* To avoid a potential DoS with compression packets we better limit ++ the number of filters in a chain. */ ++#define MAX_NESTING_FILTER 64 ++ + /*-- End configurable part. --*/ + + +@@ -1612,6 +1616,13 @@ + + if (a->use == 2 && (rc = iobuf_flush (a))) + return rc; ++ ++ if (a->subno >= MAX_NESTING_FILTER) ++ { ++ log_error ("i/o filter too deeply nested - corrupted data?\n"); ++ return GPG_ERR_BAD_DATA; ++ } ++ + /* make a copy of the current stream, so that + * A is the new stream and B the original one. + * The contents of the buffers are transferred to the +Index: gnupg2-2.0.17/g10/mainproc.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/mainproc.c 2013-10-07 15:46:12.505157761 -0400 ++++ gnupg2-2.0.17/g10/mainproc.c 2013-10-07 15:49:38.465155796 -0400 +@@ -42,6 +42,11 @@ + #include "pka.h" + + ++/* Put an upper limit on nested packets. The 32 is an arbitrary ++ value, a much lower should actually be sufficient. */ ++#define MAX_NESTING_DEPTH 32 ++ ++ + struct kidlist_item { + struct kidlist_item *next; + u32 kid[2]; +@@ -86,12 +91,16 @@ + DEK *dek; + int last_was_session_key; + KBNODE list; /* The current list of packets. */ +- int have_data; + IOBUF iobuf; /* Used to get the filename etc. */ + int trustletter; /* Temporary usage in list_node. */ + ulong symkeys; + struct kidlist_item *pkenc_list; /* List of encryption packets. */ +- int any_sig_seen; /* Set to true if a signature packet has been seen. */ ++ struct { ++ unsigned int sig_seen:1; /* Set to true if a signature packet ++ has been seen. */ ++ unsigned int data:1; /* Any data packet seen */ ++ unsigned int uncompress_failed:1; ++ } any; + }; + + +@@ -120,7 +129,8 @@ + } + c->pkenc_list = NULL; + c->list = NULL; +- c->have_data = 0; ++ c->any.data = 0; ++ c->any.uncompress_failed = 0; + c->last_was_session_key = 0; + xfree(c->dek); c->dek = NULL; + } +@@ -198,7 +208,7 @@ + { + KBNODE node; + +- c->any_sig_seen = 1; ++ c->any.sig_seen = 1; + if( pkt->pkttype == PKT_SIGNATURE && !c->list ) { + /* This is the first signature for the following datafile. + * GPG does not write such packets; instead it always uses +@@ -764,25 +774,39 @@ + return proc_encryption_packets( info, a ); + } + +-static void ++static int + proc_compressed( CTX c, PACKET *pkt ) + { +- PKT_compressed *zd = pkt->pkt.compressed; +- int rc; ++ PKT_compressed *zd = pkt->pkt.compressed; ++ int rc; + +- /*printf("zip: compressed data packet\n");*/ +- if( !zd->algorithm ) +- rc=G10ERR_COMPR_ALGO; +- else if( c->sigs_only ) +- rc = handle_compressed( c, zd, proc_compressed_cb, c ); +- else if( c->encrypt_only ) +- rc = handle_compressed( c, zd, proc_encrypt_cb, c ); +- else +- rc = handle_compressed( c, zd, NULL, NULL ); +- if( rc ) +- log_error("uncompressing failed: %s\n", g10_errstr(rc)); +- free_packet(pkt); +- c->last_was_session_key = 0; ++ /*printf("zip: compressed data packet\n");*/ ++ if( !zd->algorithm ) ++ rc=G10ERR_COMPR_ALGO; ++ else if( c->sigs_only ) ++ rc = handle_compressed( c, zd, proc_compressed_cb, c ); ++ else if( c->encrypt_only ) ++ rc = handle_compressed( c, zd, proc_encrypt_cb, c ); ++ else ++ rc = handle_compressed( c, zd, NULL, NULL ); ++ ++ if (gpg_err_code (rc) == GPG_ERR_BAD_DATA) ++ { ++ if (!c->any.uncompress_failed) ++ { ++ CTX cc; ++ ++ for (cc=c; cc; cc = cc->anchor) ++ cc->any.uncompress_failed = 1; ++ log_error ("uncompressing failed: %s\n", g10_errstr(rc)); ++ } ++ } ++ else if (rc) ++ log_error("uncompressing failed: %s\n", g10_errstr(rc)); ++ ++ free_packet (pkt); ++ c->last_was_session_key = 0; ++ return rc; + } + + /**************** +@@ -1199,7 +1223,7 @@ + Using log_error is required because verify_files does not check + error codes for each file but we want to terminate the process + with an error. */ +- if (!rc && !c->any_sig_seen) ++ if (!rc && !c->any.sig_seen) + { + write_status_text (STATUS_NODATA, "4"); + log_error (_("no signature found\n")); +@@ -1209,8 +1233,8 @@ + /* Propagate the signature seen flag upward. Do this only on + success so that we won't issue the nodata status several + times. */ +- if (!rc && c->anchor && c->any_sig_seen) +- c->anchor->any_sig_seen = 1; ++ if (!rc && c->anchor && c->any.sig_seen) ++ c->anchor->any.sig_seen = 1; + + xfree( c ); + return rc; +@@ -1236,7 +1260,7 @@ + Using log_error is required because verify_files does not check + error codes for each file but we want to terminate the process + with an error. */ +- if (!rc && !c->any_sig_seen) ++ if (!rc && !c->any.sig_seen) + { + write_status_text (STATUS_NODATA, "4"); + log_error (_("no signature found\n")); +@@ -1245,8 +1269,8 @@ + + /* Propagate the signature seen flag upward. Do this only on success + so that we won't issue the nodata status several times. */ +- if (!rc && c->anchor && c->any_sig_seen) +- c->anchor->any_sig_seen = 1; ++ if (!rc && c->anchor && c->any.sig_seen) ++ c->anchor->any.sig_seen = 1; + + xfree ( c ); + return rc; +@@ -1267,14 +1291,37 @@ + } + + +-int ++static int ++check_nesting (CTX c) ++{ ++ int level; ++ ++ for (level=0; c; c = c->anchor) ++ level++; ++ ++ if (level > MAX_NESTING_DEPTH) ++ { ++ log_error ("input data with too deeply nested packets\n"); ++ write_status_text (STATUS_UNEXPECTED, "1"); ++ return GPG_ERR_BAD_DATA; ++ } ++ return 0; ++} ++ ++ ++static int + do_proc_packets( CTX c, IOBUF a ) + { +- PACKET *pkt = xmalloc( sizeof *pkt ); +- int rc=0; +- int any_data=0; ++ PACKET *pkt; ++ int rc = 0; ++ int any_data = 0; + int newpkt; + ++ rc = check_nesting (c); ++ if (rc) ++ return rc; ++ ++ pkt = xmalloc( sizeof *pkt ); + c->iobuf = a; + init_packet(pkt); + while( (rc=parse_packet(a, pkt)) != -1 ) { +@@ -1295,7 +1342,7 @@ + case PKT_SYMKEY_ENC: proc_symkey_enc( c, pkt ); break; + case PKT_ENCRYPTED: + case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break; +- case PKT_COMPRESSED: proc_compressed( c, pkt ); break; ++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; + default: newpkt = 0; break; + } + } +@@ -1313,7 +1360,7 @@ + goto leave; + case PKT_SIGNATURE: newpkt = add_signature( c, pkt ); break; + case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break; +- case PKT_COMPRESSED: proc_compressed( c, pkt ); break; ++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; + case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break; + case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; + default: newpkt = 0; break; +@@ -1333,7 +1380,7 @@ + case PKT_ENCRYPTED: + case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break; + case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break; +- case PKT_COMPRESSED: proc_compressed( c, pkt ); break; ++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; + case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break; + case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; + default: newpkt = 0; break; +@@ -1358,13 +1405,17 @@ + case PKT_ENCRYPTED: + case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break; + case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break; +- case PKT_COMPRESSED: proc_compressed( c, pkt ); break; ++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; + case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break; + case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; + case PKT_RING_TRUST: newpkt = add_ring_trust( c, pkt ); break; + default: newpkt = 0; break; + } + } ++ ++ if (rc) ++ goto leave; ++ + /* This is a very ugly construct and frankly, I don't remember why + * I used it. Adding the MDC check here is a hack. + * The right solution is to initiate another context for encrypted +@@ -1374,7 +1425,7 @@ + * Hmmm: Rewrite this whole module here?? + */ + if( pkt->pkttype != PKT_SIGNATURE && pkt->pkttype != PKT_MDC ) +- c->have_data = pkt->pkttype == PKT_PLAINTEXT; ++ c->any.data = (pkt->pkttype == PKT_PLAINTEXT); + + if( newpkt == -1 ) + ; +@@ -2012,7 +2063,7 @@ + } + else if( node->pkt->pkttype == PKT_ONEPASS_SIG ) { + /* check all signatures */ +- if( !c->have_data ) { ++ if( !c->any.data ) { + int use_textmode = 0; + + free_md_filter_context( &c->mfx ); +@@ -2065,7 +2116,7 @@ + && node->pkt->pkt.gpg_control->control + == CTRLPKT_CLEARSIGN_START ) { + /* clear text signed message */ +- if( !c->have_data ) { ++ if( !c->any.data ) { + log_error("cleartext signature without data\n" ); + return; + } +@@ -2107,7 +2158,7 @@ + if( sig->sig_class != 0x00 && sig->sig_class != 0x01 ) + log_info(_("standalone signature of class 0x%02x\n"), + sig->sig_class); +- else if( !c->have_data ) { ++ else if( !c->any.data ) { + /* detached signature */ + free_md_filter_context( &c->mfx ); + if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) diff -Nru gnupg2-2.0.17/debian/patches/CVE-2014-4617.patch gnupg2-2.0.17/debian/patches/CVE-2014-4617.patch --- gnupg2-2.0.17/debian/patches/CVE-2014-4617.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/CVE-2014-4617.patch 2014-06-26 13:20:34.000000000 +0000 @@ -0,0 +1,69 @@ +From 014b2103fcb12f261135e3954f26e9e07b39e342 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Fri, 20 Jun 2014 10:39:26 +0200 +Subject: [PATCH] gpg: Avoid infinite loop in uncompressing garbled packets. + +* g10/compress.c (do_uncompress): Limit the number of extra FF bytes. +-- + +A packet like (a3 01 5b ff) leads to an infinite loop. Using +--max-output won't help if it is a partial packet. This patch +actually fixes a regression introduced on 1999-05-31 (c34c6769). +Actually it would be sufficient to stuff just one extra 0xff byte. +Given that this problem popped up only after 15 years, I feel safer to +allow for a very few FF bytes. + +Thanks to Olivier Levillain and Florian Maury for their detailed +report. +--- + g10/compress.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/g10/compress.c b/g10/compress.c +index a91dd23..6e151bc 100644 +--- a/g10/compress.c ++++ b/g10/compress.c +@@ -161,7 +161,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, + IOBUF a, size_t *ret_len ) + { + int zrc; +- int rc=0; ++ int rc = 0; ++ int leave = 0; + size_t n; + int nread, count; + int refill = !zs->avail_in; +@@ -179,13 +180,14 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, + nread = iobuf_read( a, zfx->inbuf + n, count ); + if( nread == -1 ) nread = 0; + n += nread; +- /* If we use the undocumented feature to suppress +- * the zlib header, we have to give inflate an +- * extra dummy byte to read */ +- if( nread < count && zfx->algo == 1 ) { +- *(zfx->inbuf + n) = 0xFF; /* is it really needed ? */ +- zfx->algo1hack = 1; ++ /* Algo 1 has no zlib header which requires us to to give ++ * inflate an extra dummy byte to read. To be on the safe ++ * side we allow for up to 4 ff bytes. */ ++ if( nread < count && zfx->algo == 1 && zfx->algo1hack < 4) { ++ *(zfx->inbuf + n) = 0xFF; ++ zfx->algo1hack++; + n++; ++ leave = 1; + } + zs->avail_in = n; + } +@@ -205,7 +207,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, + else + log_fatal("zlib inflate problem: rc=%d\n", zrc ); + } +- } while( zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR ); ++ } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR ++ && !leave); + + *ret_len = zfx->outbufsize - zs->avail_out; + if( DBG_FILTER ) +-- +1.7.10.4 + diff -Nru gnupg2-2.0.17/debian/patches/CVE-2015-1606.patch gnupg2-2.0.17/debian/patches/CVE-2015-1606.patch --- gnupg2-2.0.17/debian/patches/CVE-2015-1606.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/CVE-2015-1606.patch 2015-03-25 20:37:45.000000000 +0000 @@ -0,0 +1,71 @@ +From 824d88ac51b4d680f06e68f0879a7c1ec03cb2ba Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Thu, 12 Feb 2015 18:58:36 +0100 +Subject: [PATCH] gpg: Prevent an invalid memory read using a garbled keyring. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet +types. +-- + +The keyring DB code did not reject packets which don't belong into a +keyring. If for example the keyblock contains a literal data packet +it is expected that the processing code stops at the data packet and +reads from the input stream which is referenced from the data packets. +Obviously the keyring processing code does not and cannot do that. +However, when exporting this messes up the IOBUF and leads to an +invalid read of sizeof (int). + +We now skip all packets which are not allowed in a keyring. + +Reported-by: Hanno Böck + +(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648) +--- + g10/keyring.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +Index: gnupg2-2.0.24/g10/keyring.c +=================================================================== +--- gnupg2-2.0.24.orig/g10/keyring.c 2015-03-25 16:11:01.139937128 -0400 ++++ gnupg2-2.0.24/g10/keyring.c 2015-03-25 16:11:01.139937128 -0400 +@@ -412,8 +412,26 @@ + rc = G10ERR_INV_KEYRING; + break; + } +- if (pkt->pkttype == PKT_COMPRESSED) { +- log_error ("skipped compressed packet in keyring\n"); ++ ++ /* Filter allowed packets. */ ++ switch (pkt->pkttype){ ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_SIGNATURE: ++ break; /* Allowed per RFC. */ ++ case PKT_RING_TRUST: ++ case PKT_OLD_COMMENT: ++ case PKT_COMMENT: ++ case PKT_GPG_CONTROL: ++ break; /* Allowed by us. */ ++ ++ default: ++ log_error ("skipped packet of type %d in keyring\n", ++ (int)pkt->pkttype); + free_packet(pkt); + init_packet(pkt); + continue; +@@ -484,7 +502,7 @@ + if (rc || !ret_kb) + release_kbnode (keyblock); + else { +- /*(duplicated form the loop body)*/ ++ /*(duplicated from the loop body)*/ + if ( pkt && pkt->pkttype == PKT_RING_TRUST + && lastnode + && lastnode->pkt->pkttype == PKT_SIGNATURE diff -Nru gnupg2-2.0.17/debian/patches/CVE-2015-1607.patch gnupg2-2.0.17/debian/patches/CVE-2015-1607.patch --- gnupg2-2.0.17/debian/patches/CVE-2015-1607.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/CVE-2015-1607.patch 2015-03-25 20:45:02.000000000 +0000 @@ -0,0 +1,1876 @@ +Backport of: + +From 3627123dc8fdc551caca1c7944713fbf01feccf6 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Thu, 12 Feb 2015 20:34:44 +0100 +Subject: [PATCH] Use inline functions to convert buffer data to scalars. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +* include/host2net.h (buf16_to_ulong, buf16_to_uint): New. +(buf16_to_ushort, buf16_to_u16): New. +(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New. +-- + +This fixes sign extension on shift problems. Hanno Böck found a case +with an invalid read due to this problem. To fix that almost all uses +of "<< 24" and "<< 8" are changed by this patch to use an inline +function from host2net.h. + +(back ported from commit 2183683bd633818dd031b090b5530951de76f392) + +Signed-off-by: Werner Koch +--- + common/iobuf.c | 3 +- + g10/build-packet.c | 6 ++-- + g10/getkey.c | 17 ++++----- + g10/keygen.c | 14 ++++---- + g10/keyid.c | 32 +++++++---------- + g10/main.h | 1 - + g10/misc.c | 11 ------ + g10/parse-packet.c | 41 ++++++++++----------- + g10/tdbio.c | 20 +++++------ + g10/trustdb.c | 2 +- + include/host2net.h | 100 +++++++++++++++++++++++++++++++++++++++++++-------- + kbx/keybox-dump.c | 63 +++++++++++++++----------------- + kbx/keybox-openpgp.c | 7 ++-- + kbx/keybox-search.c | 85 ++++++++++++++++++++----------------------- + kbx/keybox-update.c | 97 +++++++++++++++++++++++++------------------------ + scd/apdu.c | 39 +++++++++----------- + scd/app-openpgp.c | 3 +- + scd/ccid-driver.c | 3 +- + scd/pcsc-wrapper.c | 5 +-- + tools/ccidmon.c | 36 +++++++++---------- + 20 files changed, 310 insertions(+), 275 deletions(-) + +Index: gnupg2-2.0.17/common/iobuf.c +=================================================================== +--- gnupg2-2.0.17.orig/common/iobuf.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/common/iobuf.c 2015-03-25 16:37:54.518344112 -0400 +@@ -39,6 +39,7 @@ + + #include "util.h" + #include "sysutils.h" ++#include "../include/host2net.h" + #include "iobuf.h" + + /*-- Begin configurable part. --*/ +@@ -869,7 +870,7 @@ + } + else if (c == 255) + { +- a->size = iobuf_get (chain) << 24; ++ a->size = (size_t)iobuf_get (chain) << 24; + a->size |= iobuf_get (chain) << 16; + a->size |= iobuf_get (chain) << 8; + if ((c = iobuf_get (chain)) == -1) +Index: gnupg2-2.0.17/g10/build-packet.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/build-packet.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/build-packet.c 2015-03-25 16:37:54.518344112 -0400 +@@ -33,6 +33,7 @@ + #include "cipher.h" + #include "i18n.h" + #include "options.h" ++#include "../include/host2net.h" + + static int do_user_id( IOBUF out, int ctb, PKT_user_id *uid ); + static int do_public_key( IOBUF out, int ctb, PKT_public_key *pk ); +@@ -631,8 +632,7 @@ + if( n == 255 ) { + if( buflen < 4 ) + break; +- n = (buffer[0] << 24) | (buffer[1] << 16) +- | (buffer[2] << 8) | buffer[3]; ++ n = buf32_to_size_t (buffer); + buffer += 4; + buflen -= 4; + } +@@ -755,7 +755,7 @@ + /* This should never happen since we don't currently allow + creating such a subpacket, but just in case... */ + case SIGSUBPKT_SIG_EXPIRE: +- if(buffer_to_u32(buffer)+sig->timestamp<=make_timestamp()) ++ if (buf32_to_u32 (buffer) + sig->timestamp <= make_timestamp()) + sig->flags.expired=1; + else + sig->flags.expired=0; +Index: gnupg2-2.0.17/g10/getkey.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/getkey.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/getkey.c 2015-03-25 16:37:54.518344112 -0400 +@@ -35,6 +35,7 @@ + #include "trustdb.h" + #include "i18n.h" + #include "keyserver-internal.h" ++#include "../include/host2net.h" + + #define MAX_PK_CACHE_ENTRIES PK_UID_CACHE_SIZE + #define MAX_UID_CACHE_ENTRIES PK_UID_CACHE_SIZE +@@ -1486,14 +1487,14 @@ + + p = parse_sig_subpkt( sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL ); + if( pk ) { +- ed = p? pk->timestamp + buffer_to_u32(p):0; ++ ed = p? pk->timestamp + buf32_to_u32(p):0; + if( sig->timestamp > sigdate ) { + pk->expiredate = ed; + sigdate = sig->timestamp; + } + } + else { +- ed = p? sk->timestamp + buffer_to_u32(p):0; ++ ed = p? sk->timestamp + buf32_to_u32(p):0; + if( sig->timestamp > sigdate ) { + sk->expiredate = ed; + sigdate = sig->timestamp; +@@ -1618,8 +1619,8 @@ + + /* ditto for the key expiration */ + p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); +- if( p && buffer_to_u32(p) ) +- uid->help_key_expire = keycreated + buffer_to_u32(p); ++ if( p && buf32_to_u32 (p) ) ++ uid->help_key_expire = keycreated + buf32_to_u32(p); + else + uid->help_key_expire = 0; + +@@ -1833,9 +1834,9 @@ + key_usage=parse_key_usage(sig); + + p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); +- if( p && buffer_to_u32(p) ) ++ if( p && buf32_to_u32 (p) ) + { +- key_expire = keytimestamp + buffer_to_u32(p); ++ key_expire = keytimestamp + buf32_to_u32 (p); + key_expire_seen = 1; + } + +@@ -2257,8 +2258,8 @@ + subpk->pubkey_usage = key_usage; + + p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); +- if ( p && buffer_to_u32(p) ) +- key_expire = keytimestamp + buffer_to_u32(p); ++ if ( p && buf32_to_u32 (p) ) ++ key_expire = keytimestamp + buf32_to_u32 (p); + else + key_expire = 0; + subpk->has_expired = key_expire >= curtime? 0 : key_expire; +Index: gnupg2-2.0.17/g10/keygen.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/keygen.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/keygen.c 2015-03-25 16:39:00.030926980 -0400 +@@ -42,6 +42,7 @@ + #include "i18n.h" + #include "keyserver-internal.h" + #include "call-agent.h" ++#include "host2net.h" + + /* The default algorithms. If you change them remember to change them + also in gpg.c:gpgconf_list. You should also check that the value +@@ -849,10 +850,7 @@ + } + else if(buf[1]==255) + { +- pktlen =buf[2] << 24; +- pktlen|=buf[3] << 16; +- pktlen|=buf[4] << 8; +- pktlen|=buf[5]; ++ pktlen = buf32_to_size_t (buf+2); + buf+=6; + } + else +@@ -869,14 +867,14 @@ + break; + + case 2: +- pktlen =buf[mark++] << 24; +- pktlen|=buf[mark++] << 16; ++ pktlen = (size_t)buf[mark++] << 24; ++ pktlen |= buf[mark++] << 16; + + case 1: +- pktlen|=buf[mark++] << 8; ++ pktlen |= buf[mark++] << 8; + + case 0: +- pktlen|=buf[mark++]; ++ pktlen |= buf[mark++]; + } + + buf+=mark; +Index: gnupg2-2.0.17/g10/keyid.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/keyid.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/keyid.c 2015-03-25 16:37:54.518344112 -0400 +@@ -34,6 +34,7 @@ + #include "keydb.h" + #include "i18n.h" + #include "rmd160.h" ++#include "host2net.h" + + int + pubkey_letter( int algo ) +@@ -173,9 +174,9 @@ + else + { + p = buffer + nbytes - 8; +- ki[0] = (p[0] << 24) | (p[1] <<16) | (p[2] << 8) | p[3]; ++ ki[0] = buf32_to_u32 (p); + p += 4; +- ki[1] = (p[0] << 24) | (p[1] <<16) | (p[2] << 8) | p[3]; ++ ki[1] = buf32_to_u32 (p); + } + xfree (buffer); + return ki[1]; +@@ -269,15 +270,8 @@ + { + u32 keyid[2]; + +- keyid[0] = ((unsigned char)desc->u.fpr[12] << 24 +- | (unsigned char)desc->u.fpr[13] << 16 +- | (unsigned char)desc->u.fpr[14] << 8 +- | (unsigned char)desc->u.fpr[15]); +- keyid[1] = ((unsigned char)desc->u.fpr[16] << 24 +- | (unsigned char)desc->u.fpr[17] << 16 +- | (unsigned char)desc->u.fpr[18] << 8 +- | (unsigned char)desc->u.fpr[19]); +- ++ keyid[0] = buf32_to_u32 (desc->u.fpr+12); ++ keyid[1] = buf32_to_u32 (desc->u.fpr+16); + return keystr(keyid); + } + +@@ -329,8 +323,8 @@ + if(md) + { + dp = gcry_md_read (md, 0); +- keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; +- keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; ++ keyid[0] = buf32_to_u32 (dp+12); ++ keyid[1] = buf32_to_u32 (dp+16); + lowbits = keyid[1]; + gcry_md_close (md); + sk->keyid[0] = keyid[0]; +@@ -384,8 +378,8 @@ + if(md) + { + dp = gcry_md_read ( md, 0 ); +- keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; +- keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; ++ keyid[0] = buf32_to_u32 (dp+12); ++ keyid[1] = buf32_to_u32 (dp+16); + lowbits = keyid[1]; + gcry_md_close (md); + pk->keyid[0] = keyid[0]; +@@ -428,8 +422,8 @@ + } + else { + const byte *dp = fprint; +- keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; +- keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; ++ keyid[0] = buf32_to_u32 (dp+12); ++ keyid[1] = buf32_to_u32 (dp+16); + } + + return keyid[1]; +@@ -719,8 +713,8 @@ + if (!array) + array = xmalloc ( len ); + memcpy (array, dp, len ); +- pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; +- pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; ++ pk->keyid[0] = buf32_to_u32 (dp+12); ++ pk->keyid[1] = buf32_to_u32 (dp+16); + gcry_md_close( md); + } + +Index: gnupg2-2.0.17/g10/main.h +=================================================================== +--- gnupg2-2.0.17.orig/g10/main.h 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/main.h 2015-03-25 16:37:54.518344112 -0400 +@@ -80,7 +80,6 @@ + u16 checksum_u16( unsigned n ); + u16 checksum( byte *p, unsigned n ); + u16 checksum_mpi( gcry_mpi_t a ); +-u32 buffer_to_u32( const byte *buffer ); + const byte *get_session_marker( size_t *rlen ); + int map_cipher_openpgp_to_gcry (int algo); + #define openpgp_cipher_open(_a,_b,_c,_d) gcry_cipher_open((_a),map_cipher_openpgp_to_gcry((_b)),(_c),(_d)) +Index: gnupg2-2.0.17/g10/misc.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/misc.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/misc.c 2015-03-25 16:37:54.518344112 -0400 +@@ -273,17 +273,6 @@ + return csum; + } + +-u32 +-buffer_to_u32( const byte *buffer ) +-{ +- unsigned long a; +- a = *buffer << 24; +- a |= buffer[1] << 16; +- a |= buffer[2] << 8; +- a |= buffer[3]; +- return a; +-} +- + void + print_pubkey_algo_note( int algo ) + { +Index: gnupg2-2.0.17/g10/parse-packet.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/parse-packet.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/parse-packet.c 2015-03-25 16:37:54.518344112 -0400 +@@ -34,6 +34,7 @@ + #include "options.h" + #include "main.h" + #include "i18n.h" ++#include "host2net.h" + + static int mpi_print_mode; + static int list_mode; +@@ -82,7 +83,7 @@ + read_16(IOBUF inp) + { + unsigned short a; +- a = iobuf_get_noeof(inp) << 8; ++ a = (unsigned short)iobuf_get_noeof(inp) << 8; + a |= iobuf_get_noeof(inp); + return a; + } +@@ -91,7 +92,7 @@ + read_32(IOBUF inp) + { + unsigned long a; +- a = iobuf_get_noeof(inp) << 24; ++ a = (unsigned long)iobuf_get_noeof(inp) << 24; + a |= iobuf_get_noeof(inp) << 16; + a |= iobuf_get_noeof(inp) << 8; + a |= iobuf_get_noeof(inp); +@@ -437,7 +438,8 @@ + } + else if( c == 255 ) + { +- pktlen = (hdr[hdrlen++] = iobuf_get_noeof(inp)) << 24; ++ pktlen = ++ (unsigned long)(hdr[hdrlen++] = iobuf_get_noeof(inp)) << 24; + pktlen |= (hdr[hdrlen++] = iobuf_get_noeof(inp)) << 16; + pktlen |= (hdr[hdrlen++] = iobuf_get_noeof(inp)) << 8; + if( (c = iobuf_get(inp)) == -1 ) +@@ -934,14 +936,15 @@ + switch( type ) { + case SIGSUBPKT_SIG_CREATED: + if( length >= 4 ) +- fprintf (listfp, "sig created %s", strtimestamp( buffer_to_u32(buffer) ) ); ++ fprintf (listfp, "sig created %s", ++ strtimestamp (buf32_to_u32(buffer)) ); + break; + case SIGSUBPKT_SIG_EXPIRE: + if( length >= 4 ) + { +- if(buffer_to_u32(buffer)) ++ if(buf32_to_u32(buffer)) + fprintf (listfp, "sig expires after %s", +- strtimevalue( buffer_to_u32(buffer) ) ); ++ strtimevalue( buf32_to_u32(buffer) ) ); + else + fprintf (listfp, "sig does not expire"); + } +@@ -969,9 +972,9 @@ + case SIGSUBPKT_KEY_EXPIRE: + if( length >= 4 ) + { +- if(buffer_to_u32(buffer)) ++ if(buf32_to_u32(buffer)) + fprintf (listfp, "key expires after %s", +- strtimevalue( buffer_to_u32(buffer) ) ); ++ strtimevalue( buf32_to_u32(buffer) ) ); + else + fprintf (listfp, "key does not expire"); + } +@@ -994,8 +997,8 @@ + case SIGSUBPKT_ISSUER: + if( length >= 8 ) + fprintf (listfp, "issuer key ID %08lX%08lX", +- (ulong)buffer_to_u32(buffer), +- (ulong)buffer_to_u32(buffer+4) ); ++ buf32_to_ulong (buffer), ++ buf32_to_ulong (buffer+4)); + break; + case SIGSUBPKT_NOTATION: + { +@@ -1240,8 +1243,7 @@ + if( n == 255 ) { /* 4 byte length header */ + if( buflen < 4 ) + goto too_short; +- n = (buffer[0] << 24) | (buffer[1] << 16) +- | (buffer[2] << 8) | buffer[3]; ++ n = buf32_to_size_t (buffer); + buffer += 4; + buflen -= 4; + } +@@ -1464,7 +1466,7 @@ + + p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_CREATED, NULL ); + if(p) +- sig->timestamp = buffer_to_u32(p); ++ sig->timestamp = buf32_to_u32 (p); + else if(!(sig->pubkey_algo>=100 && sig->pubkey_algo<=110) + && opt.verbose) + log_info ("signature packet without timestamp\n"); +@@ -1472,16 +1474,16 @@ + p = parse_sig_subpkt2( sig, SIGSUBPKT_ISSUER, NULL ); + if(p) + { +- sig->keyid[0] = buffer_to_u32(p); +- sig->keyid[1] = buffer_to_u32(p+4); ++ sig->keyid[0] = buf32_to_u32 (p); ++ sig->keyid[1] = buf32_to_u32 (p+4); + } + else if(!(sig->pubkey_algo>=100 && sig->pubkey_algo<=110) + && opt.verbose) + log_info ("signature packet without keyid\n"); + + p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_SIG_EXPIRE,NULL); +- if(p && buffer_to_u32(p)) +- sig->expiredate=sig->timestamp+buffer_to_u32(p); ++ if(p && buf32_to_u32 (p)) ++ sig->expiredate = sig->timestamp + buf32_to_u32 (p); + if(sig->expiredate && sig->expiredate<=make_timestamp()) + sig->flags.expired=1; + +@@ -2073,9 +2075,8 @@ + if( n == 255 ) { /* 4 byte length header */ + if( buflen < 4 ) + goto too_short; +- n = (buffer[0] << 24) | (buffer[1] << 16) +- | (buffer[2] << 8) | buffer[3]; +- buffer += 4; ++ n = buf32_to_size_t (buffer); ++ buffer += 4; + buflen -= 4; + } + else if( n >= 192 ) { /* 2 byte special encoded length header */ +Index: gnupg2-2.0.17/g10/tdbio.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/tdbio.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/tdbio.c 2015-03-25 16:39:50.659377324 -0400 +@@ -1214,13 +1214,13 @@ + rec->r.ver.cert_depth = *p++; + rec->r.ver.trust_model = *p++; + p += 3; +- rec->r.ver.created = buftoulong(p); p += 4; +- rec->r.ver.nextcheck = buftoulong(p); p += 4; ++ rec->r.ver.created = buf32_to_ulong (p); p += 4; ++ rec->r.ver.nextcheck = buf32_to_ulong (p); p += 4; + p += 4; + p += 4; +- rec->r.ver.firstfree =buftoulong(p); p += 4; ++ rec->r.ver.firstfree =buf32_to_ulong (p); p += 4; + p += 4; +- rec->r.ver.trusthashtbl =buftoulong(p); p += 4; ++ rec->r.ver.trusthashtbl =buf32_to_ulong (p); p += 4; + if( recnum ) { + log_error( _("%s: version record with recnum %lu\n"), db_name, + (ulong)recnum ); +@@ -1233,17 +1233,17 @@ + } + break; + case RECTYPE_FREE: +- rec->r.free.next = buftoulong(p); p += 4; ++ rec->r.free.next = buf32_to_ulong (p); p += 4; + break; + case RECTYPE_HTBL: + for(i=0; i < ITEMS_PER_HTBL_RECORD; i++ ) { +- rec->r.htbl.item[i] = buftoulong(p); p += 4; ++ rec->r.htbl.item[i] = buf32_to_ulong (p); p += 4; + } + break; + case RECTYPE_HLST: +- rec->r.hlst.next = buftoulong(p); p += 4; ++ rec->r.hlst.next = buf32_to_ulong (p); p += 4; + for(i=0; i < ITEMS_PER_HLST_RECORD; i++ ) { +- rec->r.hlst.rnum[i] = buftoulong(p); p += 4; ++ rec->r.hlst.rnum[i] = buf32_to_ulong (p); p += 4; + } + break; + case RECTYPE_TRUST: +@@ -1252,12 +1252,12 @@ + rec->r.trust.depth = *p++; + rec->r.trust.min_ownertrust = *p++; + p++; +- rec->r.trust.validlist = buftoulong(p); p += 4; ++ rec->r.trust.validlist = buf32_to_ulong (p); p += 4; + break; + case RECTYPE_VALID: + memcpy( rec->r.valid.namehash, p, 20); p+=20; + rec->r.valid.validity = *p++; +- rec->r.valid.next = buftoulong(p); p += 4; ++ rec->r.valid.next = buf32_to_ulong (p); p += 4; + rec->r.valid.full_count = *p++; + rec->r.valid.marginal_count = *p++; + break; +Index: gnupg2-2.0.17/g10/trustdb.c +=================================================================== +--- gnupg2-2.0.17.orig/g10/trustdb.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/g10/trustdb.c 2015-03-25 16:37:54.518344112 -0400 +@@ -1589,7 +1589,7 @@ + u32 expire; + + p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL ); +- expire = p? sig->timestamp + buffer_to_u32(p) : 0; ++ expire = p? sig->timestamp + buf32_to_u32 (p) : 0; + + if (expire==0 || expire > curtime ) + { +Index: gnupg2-2.0.17/include/host2net.h +=================================================================== +--- gnupg2-2.0.17.orig/include/host2net.h 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/include/host2net.h 2015-03-25 16:37:54.522344147 -0400 +@@ -1,14 +1,24 @@ +-/* host2net.h - Some macros +- * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. ++/* host2net.h - Endian conversion macros ++ * Copyright (C) 1998, 2014, 2015 Werner Koch + * + * This file is part of GnuPG. + * +- * GnuPG is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 3 of the License, or +- * (at your option) any later version. ++ * This file is free software; you can redistribute it and/or modify ++ * it under the terms of either + * +- * GnuPG is distributed in the hope that it will be useful, ++ * - the GNU Lesser General Public License as published by the Free ++ * Software Foundation; either version 3 of the License, or (at ++ * your option) any later version. ++ * ++ * or ++ * ++ * - the GNU General Public License as published by the Free ++ * Software Foundation; either version 2 of the License, or (at ++ * your option) any later version. ++ * ++ * or both in parallel, as here. ++ * ++ * This file is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. +@@ -17,14 +27,11 @@ + * along with this program; if not, see . + */ + +-#ifndef G10_HOST2NET_H +-#define G10_HOST2NET_H ++#ifndef GNUPG_COMMON_HOST2NET_H ++#define GNUPG_COMMON_HOST2NET_H + + #include "types.h" + +-#define buftoulong( p ) ((*(byte*)(p) << 24) | (*((byte*)(p)+1)<< 16) | \ +- (*((byte*)(p)+2) << 8) | (*((byte*)(p)+3))) +-#define buftoushort( p ) ((*((byte*)(p)) << 8) | (*((byte*)(p)+1))) + #define ulongtobuf( p, a ) do { \ + ((byte*)p)[0] = a >> 24; \ + ((byte*)p)[1] = a >> 16; \ +@@ -35,8 +42,71 @@ + ((byte*)p)[0] = a >> 8; \ + ((byte*)p)[1] = a ; \ + } while(0) +-#define buftou32( p) buftoulong( (p) ) +-#define u32tobuf( p, a) ulongtobuf( (p), (a) ) + + +-#endif /*G10_HOST2NET_H*/ ++static inline unsigned long ++buf16_to_ulong (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((unsigned long)p[0] << 8) | p[1]); ++} ++ ++static inline unsigned int ++buf16_to_uint (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((unsigned int)p[0] << 8) | p[1]); ++} ++ ++static inline unsigned short ++buf16_to_ushort (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((unsigned short)p[0] << 8) | p[1]); ++} ++ ++static inline u16 ++buf16_to_u16 (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((u16)p[0] << 8) | p[1]); ++} ++ ++static inline size_t ++buf32_to_size_t (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((size_t)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); ++} ++ ++static inline unsigned long ++buf32_to_ulong (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((unsigned long)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); ++} ++ ++static inline unsigned int ++buf32_to_uint (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((unsigned int)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); ++} ++ ++static inline u32 ++buf32_to_u32 (const void *buffer) ++{ ++ const unsigned char *p = buffer; ++ ++ return (((u32)p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); ++} ++ ++ ++#endif /*GNUPG_COMMON_HOST2NET_H*/ +Index: gnupg2-2.0.17/kbx/keybox-dump.c +=================================================================== +--- gnupg2-2.0.17.orig/kbx/keybox-dump.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/kbx/keybox-dump.c 2015-03-25 16:37:54.522344147 -0400 +@@ -25,6 +25,7 @@ + + #include "keybox-defs.h" + #include ++#include "../include/host2net.h" + + /* Argg, we can't include ../common/util.h */ + char *bin2hexcolon (const void *buffer, size_t length, char *stringbuf); +@@ -33,21 +34,13 @@ + static ulong + get32 (const byte *buffer) + { +- ulong a; +- a = *buffer << 24; +- a |= buffer[1] << 16; +- a |= buffer[2] << 8; +- a |= buffer[3]; +- return a; ++ return buf32_to_ulong (buffer); + } + + static ulong + get16 (const byte *buffer) + { +- ulong a; +- a = *buffer << 8; +- a |= buffer[1]; +- return a; ++ return buf16_to_ulong (buffer); + } + + void +@@ -93,9 +86,9 @@ + if ( memcmp (buffer+8, "KBXf", 4)) + fprintf (fp, "[Error: invalid magic number]\n"); + +- n = get32 (buffer+16); ++ n = get32 (buffer+16); + fprintf( fp, "created-at: %lu\n", n ); +- n = get32 (buffer+20); ++ n = get32 (buffer+20); + fprintf( fp, "last-maint: %lu\n", n ); + + return 0; +@@ -117,7 +110,7 @@ + const byte *p; + + buffer = _keybox_get_blob_image (blob, &length); +- ++ + if (length < 32) + { + fprintf (fp, "[blob too short]\n"); +@@ -125,7 +118,7 @@ + } + + n = get32( buffer ); +- if (n > length) ++ if (n > length) + fprintf (fp, "[blob larger than length - output truncated]\n"); + else + length = n; /* ignore the rest */ +@@ -159,7 +152,7 @@ + fprintf (fp, "[blob too short]\n"); + return -1; + } +- ++ + n = get16 (buffer + 6); + fprintf( fp, "Blob-Flags: %04lX", n); + if (n) +@@ -188,7 +181,7 @@ + + fprintf( fp, "Data-Offset: %lu\n", rawdata_off ); + fprintf( fp, "Data-Length: %lu\n", rawdata_len ); +- if (rawdata_off > length || rawdata_len > length ++ if (rawdata_off > length || rawdata_len > length + || rawdata_off+rawdata_off > length) + fprintf (fp, "[Error: raw data larger than blob]\n"); + +@@ -207,7 +200,7 @@ + { + int i; + ulong kidoff, kflags; +- ++ + fprintf (fp, "Key-Fpr[%lu]: ", n ); + for (i=0; i < 20; i++ ) + fprintf (fp, "%02X", p[i]); +@@ -220,7 +213,7 @@ + kflags = get16 (p + 24 ); + fprintf( fp, "\nKey-Flags[%lu]: %04lX\n", n, kflags); + } +- ++ + /* serial number */ + fputs ("Serial-No: ", fp); + nserial = get16 (p); +@@ -244,7 +237,7 @@ + for (n=0; n < nuids; n++, p += uidinfolen) + { + ulong uidoff, uidlen, uflags; +- ++ + uidoff = get32( p ); + uidlen = get32( p+4 ); + if (type == BLOBTYPE_X509 && !n) +@@ -284,7 +277,7 @@ + fprintf (fp, "Uid-Validity[%lu]: %d\n", n, p[10] ); + } + } +- ++ + nsigs = get16 (p); + fprintf (fp, "Sig-Count: %lu\n", nsigs ); + siginfolen = get16 (p + 2); +@@ -294,7 +287,7 @@ + for (n=0; n < nsigs; n++, p += siginfolen) + { + ulong sflags; +- ++ + sflags = get32 (p); + fprintf (fp, "Sig-Expire[%lu]: ", n ); + if (!sflags) +@@ -341,11 +334,11 @@ + ulong rawdata_off, rawdata_len; + + buffer = _keybox_get_blob_image (blob, &length); +- ++ + if (length < 32) + return -1; + n = get32 (buffer); +- if (n < length) ++ if (n < length) + length = n; /* Blob larger than length in header - ignore the rest. */ + + type = buffer[4]; +@@ -364,11 +357,11 @@ + + if (length < 40) + return -1; +- ++ + rawdata_off = get32 (buffer + 8); + rawdata_len = get32 (buffer + 12); + +- if (rawdata_off > length || rawdata_len > length ++ if (rawdata_off > length || rawdata_len > length + || rawdata_off+rawdata_off > length) + return -1; /* Out of bounds. */ + +@@ -408,7 +401,7 @@ + } + + n = get32( buffer ); +- if (n > length) ++ if (n > length) + s->too_large_blobs++; + else + length = n; /* ignore the rest */ +@@ -439,7 +432,7 @@ + s->too_short_blobs++; + return -1; + } +- ++ + n = get16 (buffer + 6); + if (n) + { +@@ -512,13 +505,13 @@ + rc = 0; + if (rc) + fprintf (outfp, "error reading `%s': %s\n", filename, gpg_strerror (rc)); +- ++ + if (fp != stdin) + fclose (fp); + + if (stats_only) + { +- fprintf (outfp, ++ fprintf (outfp, + "Total number of blobs: %8lu\n" + " header: %8lu\n" + " empty: %8lu\n" +@@ -551,9 +544,9 @@ + + + +-struct dupitem_s ++struct dupitem_s + { +- unsigned long recno; ++ unsigned long recno; + unsigned char digest[20]; + }; + +@@ -563,7 +556,7 @@ + { + struct dupitem_s *a = (struct dupitem_s *)arg_a; + struct dupitem_s *b = (struct dupitem_s *)arg_b; +- ++ + return memcmp (a->digest, b->digest, 20); + } + +@@ -581,7 +574,7 @@ + char fprbuf[3*20+1]; + + (void)print_them; +- ++ + memset (zerodigest, 0, sizeof zerodigest); + + if (!(fp = open_file (&filename, outfp))) +@@ -601,7 +594,7 @@ + while ( !(rc = _keybox_read_blob (&blob, fp)) ) + { + unsigned char digest[20]; +- ++ + if (hash_blob_rawdata (blob, digest)) + fprintf (outfp, "error in blob %ld of `%s'\n", recno, filename); + else if (memcmp (digest, zerodigest, 20)) +@@ -668,7 +661,7 @@ + KEYBOXBLOB blob; + int rc; + unsigned long recno = 0; +- ++ + if (!(fp = open_file (&filename, stderr))) + return gpg_error_from_syserror (); + +Index: gnupg2-2.0.17/kbx/keybox-openpgp.c +=================================================================== +--- gnupg2-2.0.17.orig/kbx/keybox-openpgp.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/kbx/keybox-openpgp.c 2015-03-25 16:37:54.522344147 -0400 +@@ -34,6 +34,7 @@ + #include "keybox-defs.h" + + #include ++#include "../include/host2net.h" + + + enum packet_types +@@ -119,10 +120,8 @@ + { + if (len <4 ) + return gpg_error (GPG_ERR_INV_PACKET); /* No length bytes. */ +- pktlen = (*buf++) << 24; +- pktlen |= (*buf++) << 16; +- pktlen |= (*buf++) << 8; +- pktlen |= (*buf++); ++ pktlen = buf32_to_ulong (buf); ++ buf += 4; + len -= 4; + } + else /* Partial length encoding is not allowed for key packets. */ +Index: gnupg2-2.0.17/kbx/keybox-search.c +=================================================================== +--- gnupg2-2.0.17.orig/kbx/keybox-search.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/kbx/keybox-search.c 2015-03-25 16:37:54.522344147 -0400 +@@ -25,6 +25,7 @@ + #include + + #include "../jnlib/stringhelp.h" /* ascii_xxxx() */ ++#include "../include/host2net.h" + + #include "keybox-defs.h" + #include +@@ -45,21 +46,13 @@ + static inline ulong + get32 (const byte *buffer) + { +- ulong a; +- a = *buffer << 24; +- a |= buffer[1] << 16; +- a |= buffer[2] << 8; +- a |= buffer[3]; +- return a; ++ return buf32_to_ulong (buffer); + } + + static inline ulong + get16 (const byte *buffer) + { +- ulong a; +- a = *buffer << 8; +- a |= buffer[1]; +- return a; ++ return buf16_to_ulong (buffer); + } + + +@@ -112,7 +105,7 @@ + *flag_off = 6; + *flag_size = 2; + break; +- ++ + case KEYBOX_FLAG_OWNERTRUST: + case KEYBOX_FLAG_VALIDITY: + case KEYBOX_FLAG_CREATED_AT: +@@ -127,7 +120,7 @@ + if (pos+2 > length) + return GPG_ERR_INV_OBJ; /* Out of bounds. */ + /* Serial number. */ +- nserial = get16 (buffer+pos); ++ nserial = get16 (buffer+pos); + pos += 2 + nserial; + if (pos+4 > length) + return GPG_ERR_INV_OBJ; /* Out of bounds. */ +@@ -135,7 +128,7 @@ + nuids = get16 (buffer + pos); pos += 2; + uidinfolen = get16 (buffer + pos); pos += 2; + if (uidinfolen < 12 ) +- return GPG_ERR_INV_OBJ; ++ return GPG_ERR_INV_OBJ; + pos += uidinfolen*nuids; + if (pos+4 > length) + return GPG_ERR_INV_OBJ ; /* Out of bounds. */ +@@ -143,7 +136,7 @@ + nsigs = get16 (buffer + pos); pos += 2; + siginfolen = get16 (buffer + pos); pos += 2; + if (siginfolen < 4 ) +- return GPG_ERR_INV_OBJ; ++ return GPG_ERR_INV_OBJ; + pos += siginfolen*nsigs; + if (pos+1+1+2+4+4+4+4 > length) + return GPG_ERR_INV_OBJ ; /* Out of bounds. */ +@@ -190,7 +183,7 @@ + case 4: *value = get32 (buffer + pos); break; + default: ec = GPG_ERR_BUG; break; + } +- ++ + return ec; + } + +@@ -218,7 +211,7 @@ + return 0; /* out of bounds */ + + /*serial*/ +- nserial = get16 (buffer+pos); ++ nserial = get16 (buffer+pos); + off = pos + 2; + if (off+nserial > length) + return 0; /* out of bounds */ +@@ -316,7 +309,7 @@ + return 0; /* out of bounds */ + + /*serial*/ +- nserial = get16 (buffer+pos); ++ nserial = get16 (buffer+pos); + pos += 2 + nserial; + if (pos+4 > length) + return 0; /* out of bounds */ +@@ -332,7 +325,7 @@ + if (idx < 0) + { /* compare all names starting with that (negated) index */ + idx = -idx; +- ++ + for ( ;idx < nuids; idx++) + { + size_t mypos = pos; +@@ -409,7 +402,7 @@ + return 0; /* out of bounds */ + + /*serial*/ +- nserial = get16 (buffer+pos); ++ nserial = get16 (buffer+pos); + pos += 2 + nserial; + if (pos+4 > length) + return 0; /* out of bounds */ +@@ -428,7 +421,7 @@ + for (idx=1 ;idx < nuids; idx++) + { + size_t mypos = pos; +- ++ + mypos += idx*uidinfolen; + off = get32 (buffer+mypos); + len = get32 (buffer+mypos+4); +@@ -439,7 +432,7 @@ + len--; /* one back */ + if ( len < 3 || buffer[off+len] != '>') + continue; /* not a proper email address */ +- len--; ++ len--; + if (substr) + { + if (ascii_memcasemem (buffer+off+1, len, name, namelen)) +@@ -474,7 +467,7 @@ + unsigned char array[20]; + unsigned char *rcp; + size_t n; +- ++ + buffer = _keybox_get_blob_image (blob, &length); + if (length < 40) + return 0; /* Too short. */ +@@ -527,7 +520,7 @@ + + + /* +- The has_foo functions are used as helpers for search ++ The has_foo functions are used as helpers for search + */ + static inline int + has_short_kid (KEYBOXBLOB blob, const unsigned char *kid) +@@ -585,7 +578,7 @@ + return 0; + + namelen = strlen (name); +- ++ + return (blob_cmp_sn (blob, sn, snlen) + && blob_cmp_name (blob, 0 /* issuer */, name, namelen, 0)); + } +@@ -664,7 +657,7 @@ + + */ + +-int ++int + keybox_search_reset (KEYBOX_HANDLE hd) + { + if (!hd) +@@ -683,13 +676,13 @@ + } + hd->error = 0; + hd->eof = 0; +- return 0; ++ return 0; + } + + + /* Note: When in ephemeral mode the search function does visit all + blobs but in standard mode, blobs flagged as ephemeral are ignored. */ +-int ++int + keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc) + { + int rc; +@@ -708,18 +701,18 @@ + hd->found.blob = NULL; + } + +- if (hd->error) ++ if (hd->error) + return hd->error; /* still in error state */ +- if (hd->eof) ++ if (hd->eof) + return -1; /* still EOF */ + + /* figure out what information we need */ + need_words = any_skip = 0; +- for (n=0; n < ndesc; n++) ++ for (n=0; n < ndesc; n++) + { +- switch (desc[n].mode) ++ switch (desc[n].mode) + { +- case KEYDB_SEARCH_MODE_WORDS: ++ case KEYDB_SEARCH_MODE_WORDS: + need_words = 1; + break; + case KEYDB_SEARCH_MODE_FIRST: +@@ -729,7 +722,7 @@ + default: + break; + } +- if (desc[n].skipfnc) ++ if (desc[n].skipfnc) + any_skip = 1; + if (desc[n].snlen == -1 && !sn_array) + { +@@ -762,7 +755,7 @@ + int i, odd; + size_t snlen; + +- for (n=0; n < ndesc; n++) ++ for (n=0; n < ndesc; n++) + { + if (!desc[n].sn) + ; +@@ -830,14 +823,14 @@ + if (!hd->ephemeral && (blobflags & 2)) + continue; /* Not in ephemeral mode but blob is flagged ephemeral. */ + +- for (n=0; n < ndesc; n++) ++ for (n=0; n < ndesc; n++) + { + switch (desc[n].mode) + { +- case KEYDB_SEARCH_MODE_NONE: ++ case KEYDB_SEARCH_MODE_NONE: + never_reached (); + break; +- case KEYDB_SEARCH_MODE_EXACT: ++ case KEYDB_SEARCH_MODE_EXACT: + if (has_subject_or_alt (blob, desc[n].u.name, 0)) + goto found; + break; +@@ -854,7 +847,7 @@ + goto found; + break; + case KEYDB_SEARCH_MODE_MAILEND: +- case KEYDB_SEARCH_MODE_WORDS: ++ case KEYDB_SEARCH_MODE_WORDS: + never_reached (); /* not yet implemented */ + break; + case KEYDB_SEARCH_MODE_ISSUER: +@@ -876,7 +869,7 @@ + if (has_subject (blob, desc[n].u.name)) + goto found; + break; +- case KEYDB_SEARCH_MODE_SHORT_KID: ++ case KEYDB_SEARCH_MODE_SHORT_KID: + if (has_short_kid (blob, desc[n].u.kid)) + goto found; + break; +@@ -893,20 +886,20 @@ + if (has_keygrip (blob, desc[n].u.grip)) + goto found; + break; +- case KEYDB_SEARCH_MODE_FIRST: ++ case KEYDB_SEARCH_MODE_FIRST: + goto found; + break; +- case KEYDB_SEARCH_MODE_NEXT: ++ case KEYDB_SEARCH_MODE_NEXT: + goto found; + break; +- default: ++ default: + rc = gpg_error (GPG_ERR_INV_VALUE); + goto found; + } + } + continue; +- found: +- for (n=any_skip?0:ndesc; n < ndesc; n++) ++ found: ++ for (n=any_skip?0:ndesc; n < ndesc; n++) + { + /* if (desc[n].skipfnc */ + /* && desc[n].skipfnc (desc[n].skipfncvalue, aki)) */ +@@ -915,7 +908,7 @@ + if (n == ndesc) + break; /* got it */ + } +- ++ + if (!rc) + { + hd->found.blob = blob; +@@ -925,7 +918,7 @@ + _keybox_release_blob (blob); + hd->eof = 1; + } +- else ++ else + { + _keybox_release_blob (blob); + hd->error = rc; +Index: gnupg2-2.0.17/kbx/keybox-update.c +=================================================================== +--- gnupg2-2.0.17.orig/kbx/keybox-update.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/kbx/keybox-update.c 2015-03-25 16:37:54.522344147 -0400 +@@ -26,6 +26,7 @@ + #include + + #include "keybox-defs.h" ++#include "../include/host2net.h" + + #define EXTSEP_S "." + +@@ -65,12 +66,12 @@ + static int + create_tmp_file (const char *template, + char **r_bakfname, char **r_tmpfname, FILE **r_fp) +-{ ++{ + char *bakfname, *tmpfname; +- ++ + *r_bakfname = NULL; + *r_tmpfname = NULL; +- ++ + # ifdef USE_ONLY_8DOT3 + /* Here is another Windoze bug?: + * you cant rename("pubring.kbx.tmp", "pubring.kbx"); +@@ -87,7 +88,7 @@ + return gpg_error_from_syserror (); + strcpy (bakfname, template); + strcpy (bakfname+strlen(template)-4, EXTSEP_S "kb_"); +- ++ + tmpfname = xtrymalloc (strlen (template) + 1); + if (!tmpfname) + { +@@ -98,14 +99,14 @@ + strcpy (tmpfname,template); + strcpy (tmpfname + strlen (template)-4, EXTSEP_S "k__"); + } +- else ++ else + { /* File does not end with kbx, thus we hope we are working on a + modern file system and appending a suffix works. */ + bakfname = xtrymalloc ( strlen (template) + 5); + if (!bakfname) + return gpg_error_from_syserror (); + strcpy (stpcpy (bakfname, template), EXTSEP_S "kb_"); +- ++ + tmpfname = xtrymalloc ( strlen (template) + 5); + if (!tmpfname) + { +@@ -120,7 +121,7 @@ + if (!bakfname) + return gpg_error_from_syserror (); + strcpy (stpcpy (bakfname,template),"~"); +- ++ + tmpfname = xtrymalloc ( strlen (template) + 5); + if (!tmpfname) + { +@@ -172,7 +173,7 @@ + + /* First make a backup file except for secret keyboxes. */ + if (!secret) +- { ++ { + #if defined(HAVE_DOSISH_SYSTEM) || defined(__riscos__) + remove (bakfname); + #endif +@@ -181,7 +182,7 @@ + return gpg_error_from_syserror (); + } + } +- ++ + /* Then rename the file. */ + #if defined(HAVE_DOSISH_SYSTEM) || defined(__riscos__) + remove (fname); +@@ -199,7 +200,7 @@ + } + return rc; + } +- ++ + return 0; + } + +@@ -211,7 +212,7 @@ + 3 = update + */ + static int +-blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, ++blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, + int secret, off_t start_offset) + { + FILE *fp, *newfp; +@@ -221,14 +222,14 @@ + char buffer[4096]; + int nread, nbytes; + +- /* Open the source file. Because we do a rename, we have to check the ++ /* Open the source file. Because we do a rename, we have to check the + permissions of the file */ + if (access (fname, W_OK)) + return gpg_error_from_syserror (); + + fp = fopen (fname, "rb"); + if (mode == 1 && !fp && errno == ENOENT) +- { ++ { + /* Insert mode but file does not exist: + Create a new keybox file. */ + newfp = fopen (fname, "wb"); +@@ -267,10 +268,10 @@ + fclose(fp); + goto leave; + } +- ++ + /* prepare for insert */ + if (mode == 1) +- { ++ { + /* Copy everything to the new file. */ + while ( (nread = fread (buffer, 1, DIM(buffer), fp)) > 0 ) + { +@@ -286,12 +287,12 @@ + goto leave; + } + } +- ++ + /* Prepare for delete or update. */ +- if ( mode == 2 || mode == 3 ) +- { ++ if ( mode == 2 || mode == 3 ) ++ { + off_t current = 0; +- ++ + /* Copy first part to the new file. */ + while ( current < start_offset ) + { +@@ -302,7 +303,7 @@ + if (!nread) + break; + current += nread; +- ++ + if (fwrite (buffer, nread, 1, newfp) != 1) + { + rc = gpg_error_from_syserror (); +@@ -314,24 +315,24 @@ + rc = gpg_error_from_syserror (); + goto leave; + } +- ++ + /* Skip this blob. */ + rc = _keybox_read_blob (NULL, fp); + if (rc) + return rc; + } +- ++ + /* Do an insert or update. */ + if ( mode == 1 || mode == 3 ) +- { ++ { + rc = _keybox_write_blob (blob, newfp); + if (rc) + return rc; + } +- ++ + /* Copy the rest of the packet for an delete or update. */ + if (mode == 2 || mode == 3) +- { ++ { + while ( (nread = fread (buffer, 1, DIM(buffer), fp)) > 0 ) + { + if (fwrite (buffer, nread, 1, newfp) != 1) +@@ -346,7 +347,7 @@ + goto leave; + } + } +- ++ + /* Close both files. */ + if (fclose(fp)) + { +@@ -370,7 +371,7 @@ + + + +-#ifdef KEYBOX_WITH_X509 ++#ifdef KEYBOX_WITH_X509 + int + keybox_insert_cert (KEYBOX_HANDLE hd, ksba_cert_t cert, + unsigned char *sha1_digest) +@@ -380,12 +381,12 @@ + KEYBOXBLOB blob; + + if (!hd) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + if (!hd->kb) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + fname = hd->kb->fname; + if (!fname) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + + /* Close this one otherwise we will mess up the position for a next + search. Fixme: it would be better to adjust the position after +@@ -439,12 +440,12 @@ + if (!hd->found.blob) + return gpg_error (GPG_ERR_NOTHING_FOUND); + if (!hd->kb) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + if (!hd->found.blob) + return gpg_error (GPG_ERR_NOTHING_FOUND); + fname = hd->kb->fname; + if (!fname) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + + off = _keybox_get_blob_fileoffset (hd->found.blob); + if (off == (off_t)-1) +@@ -454,7 +455,7 @@ + ec = _keybox_get_flag_location (buffer, length, what, &flag_pos, &flag_size); + if (ec) + return gpg_error (ec); +- ++ + off += flag_pos; + + _keybox_close_file (hd); +@@ -476,7 +477,7 @@ + + switch (flag_size) + { +- case 1: ++ case 1: + case 2: + case 4: + if (fwrite (tmp+4-flag_size, flag_size, 1, fp) != 1) +@@ -512,10 +513,10 @@ + if (!hd->found.blob) + return gpg_error (GPG_ERR_NOTHING_FOUND); + if (!hd->kb) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + fname = hd->kb->fname; + if (!fname) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + + off = _keybox_get_blob_fileoffset (hd->found.blob); + if (off == (off_t)-1) +@@ -561,18 +562,18 @@ + int skipped_deleted; + + if (!hd) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + if (!hd->kb) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + if (hd->secret) + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); + fname = hd->kb->fname; + if (!fname) +- return gpg_error (GPG_ERR_INV_HANDLE); ++ return gpg_error (GPG_ERR_INV_HANDLE); + + _keybox_close_file (hd); + +- /* Open the source file. Because we do a rename, we have to check the ++ /* Open the source file. Because we do a rename, we have to check the + permissions of the file */ + if (access (fname, W_OK)) + return gpg_error_from_syserror (); +@@ -596,9 +597,8 @@ + buffer = _keybox_get_blob_image (blob, &length); + if (length > 4 && buffer[4] == BLOBTYPE_HEADER) + { +- u32 last_maint = ((buffer[20] << 24) | (buffer[20+1] << 16) +- | (buffer[20+2] << 8) | (buffer[20+3])); +- ++ u32 last_maint = buf32_to_u32 (buffer+20); ++ + if ( (last_maint + 3*3600) > time (NULL) ) + { + fclose (fp); +@@ -618,7 +618,7 @@ + return rc;; + } + +- ++ + /* Processing loop. By reading using _keybox_read_blob we + automagically skip any blobs flagged as deleted. Thus what we + only have to do is to check all ephemeral flagged blocks whether +@@ -663,24 +663,23 @@ + continue; + } + +- if (_keybox_get_flag_location (buffer, length, ++ if (_keybox_get_flag_location (buffer, length, + KEYBOX_FLAG_BLOB, &pos, &size) + || size != 2) + { + rc = gpg_error (GPG_ERR_BUG); + break; + } +- blobflags = ((buffer[pos] << 8) | (buffer[pos+1])); ++ blobflags = buf16_to_uint (buffer+pos); + if ((blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL)) + { + /* This is an ephemeral blob. */ +- if (_keybox_get_flag_location (buffer, length, ++ if (_keybox_get_flag_location (buffer, length, + KEYBOX_FLAG_CREATED_AT, &pos, &size) + || size != 4) + created_at = 0; /* oops. */ + else +- created_at = ((buffer[pos] << 24) | (buffer[pos+1] << 16) +- | (buffer[pos+2] << 8) | (buffer[pos+3])); ++ created_at = buf32_to_u32 (buffer+pos); + + if (created_at && created_at < cut_time) + { +Index: gnupg2-2.0.17/scd/apdu.c +=================================================================== +--- gnupg2-2.0.17.orig/scd/apdu.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/scd/apdu.c 2015-03-25 16:42:55.533024450 -0400 +@@ -58,6 +58,7 @@ + #include "scdaemon.h" + #include "exechelp.h" + #endif /* GNUPG_MAJOR_VERSION != 1 */ ++#include "../include/host2net.h" + + #include "apdu.h" + #include "ccid-driver.h" +@@ -904,15 +905,14 @@ + i? strerror (errno) : "premature EOF"); + goto command_failed; + } +- len = (msgbuf[1] << 24) | (msgbuf[2] << 16) | (msgbuf[3] << 8 ) | msgbuf[4]; ++ len = buf32_to_size_t (msgbuf+1); + if (msgbuf[0] != 0x81 || len < 4) + { + log_error ("invalid response header from PC/SC received\n"); + goto command_failed; + } + len -= 4; /* Already read the error code. */ +- err = PCSC_ERR_MASK ((msgbuf[5] << 24) | (msgbuf[6] << 16) +- | (msgbuf[7] << 8 ) | msgbuf[8]); ++ err = PCSC_ERR_MASK (buf32_to_ulong (msgbuf+5)); + if (err) + { + log_error ("pcsc_status failed: %s (0x%lx)\n", +@@ -1072,15 +1072,14 @@ + i? strerror (errno) : "premature EOF"); + goto command_failed; + } +- len = (msgbuf[1] << 24) | (msgbuf[2] << 16) | (msgbuf[3] << 8 ) | msgbuf[4]; ++ len = buf32_to_size_t (msgbuf+1); + if (msgbuf[0] != 0x81 || len < 4) + { + log_error ("invalid response header from PC/SC received\n"); + goto command_failed; + } + len -= 4; /* Already read the error code. */ +- err = PCSC_ERR_MASK ((msgbuf[5] << 24) | (msgbuf[6] << 16) +- | (msgbuf[7] << 8 ) | msgbuf[8]); ++ err = PCSC_ERR_MASK (buf32_to_ulong (msgbuf+5)); + if (err) + { + log_error ("pcsc_transmit failed: %s (0x%lx)\n", +@@ -1205,15 +1204,14 @@ + i? strerror (errno) : "premature EOF"); + goto command_failed; + } +- len = (msgbuf[1] << 24) | (msgbuf[2] << 16) | (msgbuf[3] << 8 ) | msgbuf[4]; ++ len = buf32_to_size_t (msgbuf+1); + if (msgbuf[0] != 0x81 || len < 4) + { + log_error ("invalid response header from PC/SC received\n"); + goto command_failed; + } + len -= 4; /* Already read the error code. */ +- err = PCSC_ERR_MASK ((msgbuf[5] << 24) | (msgbuf[6] << 16) +- | (msgbuf[7] << 8 ) | msgbuf[8]); ++ err = PCSC_ERR_MASK (buf32_to_ulong (msgbuf+5)); + if (err) + log_error ("pcsc_close failed: %s (0x%lx)\n", + pcsc_error_string (err), err); +@@ -1392,7 +1390,7 @@ + i? strerror (errno) : "premature EOF"); + goto command_failed; + } +- len = (msgbuf[1] << 24) | (msgbuf[2] << 16) | (msgbuf[3] << 8 ) | msgbuf[4]; ++ len = buf32_to_size_t (msgbuf+1); + if (msgbuf[0] != 0x81 || len < 4) + { + log_error ("invalid response header from PC/SC received\n"); +@@ -1406,8 +1404,7 @@ + sw = SW_HOST_GENERAL_ERROR; + goto command_failed; + } +- err = PCSC_ERR_MASK ((msgbuf[5] << 24) | (msgbuf[6] << 16) +- | (msgbuf[7] << 8 ) | msgbuf[8]); ++ err = PCSC_ERR_MASK (buf32_to_ulong (msgbuf+5)); + if (err) + { + log_error ("PC/SC RESET failed: %s (0x%lx)\n", +@@ -1710,7 +1707,7 @@ + i? strerror (errno) : "premature EOF"); + goto command_failed; + } +- len = (msgbuf[1] << 24) | (msgbuf[2] << 16) | (msgbuf[3] << 8 ) | msgbuf[4]; ++ len = buf32_to_size_t (msgbuf+1); + if (msgbuf[0] != 0x81 || len < 4) + { + log_error ("invalid response header from PC/SC received\n"); +@@ -1723,8 +1720,7 @@ + (unsigned long)len); + goto command_failed; + } +- err = PCSC_ERR_MASK ((msgbuf[5] << 24) | (msgbuf[6] << 16) +- | (msgbuf[7] << 8 ) | msgbuf[8]); ++ err = PCSC_ERR_MASK (buf32_to_ulong (msgbuf+5)); + if (err) + { + log_error ("PC/SC OPEN failed: %s\n", pcsc_error_string (err)); +Index: gnupg2-2.0.17/scd/app-openpgp.c +=================================================================== +--- gnupg2-2.0.17.orig/scd/app-openpgp.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/scd/app-openpgp.c 2015-03-25 16:37:54.522344147 -0400 +@@ -66,6 +66,7 @@ + #include "iso7816.h" + #include "app-common.h" + #include "tlv.h" ++#include "../include/host2net.h" + + + /* A table describing the DOs of the card. */ +@@ -742,7 +743,7 @@ + char numbuf1[50], numbuf2[50]; + unsigned long value; + +- value = (stamp[0] << 24) | (stamp[1]<<16) | (stamp[2]<<8) | stamp[3]; ++ value = buf32_to_ulong (stamp); + if (!value) + return; + sprintf (numbuf1, "%d", number); +Index: gnupg2-2.0.17/scd/ccid-driver.c +=================================================================== +--- gnupg2-2.0.17.orig/scd/ccid-driver.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/scd/ccid-driver.c 2015-03-25 16:37:54.522344147 -0400 +@@ -92,6 +92,7 @@ + #include + + #include "ccid-driver.h" ++#include "../include/host2net.h" + + #define DRVNAME "ccid-driver: " + +@@ -292,7 +293,7 @@ + static unsigned int + convert_le_u32 (const unsigned char *buf) + { +- return buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24); ++ return buf[0] | (buf[1] << 8) | (buf[2] << 16) | ((unsigned int)buf[3] << 24); + } + + +Index: gnupg2-2.0.17/scd/pcsc-wrapper.c +=================================================================== +--- gnupg2-2.0.17.orig/scd/pcsc-wrapper.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/scd/pcsc-wrapper.c 2015-03-25 16:37:54.526344183 -0400 +@@ -252,7 +252,7 @@ + fprintf (stderr, PGM ": premature EOF while parsing request\n"); + exit (1); + } +- return (c1 << 24) | (c2 << 16) | (c3 << 8) | c4; ++ return ((unsigned long)c1 << 24) | (c2 << 16) | (c3 << 8) | c4; + } + + +Index: gnupg2-2.0.17/tools/ccidmon.c +=================================================================== +--- gnupg2-2.0.17.orig/tools/ccidmon.c 2015-03-25 16:37:54.526344183 -0400 ++++ gnupg2-2.0.17/tools/ccidmon.c 2015-03-25 16:37:54.526344183 -0400 +@@ -52,7 +52,7 @@ + static int skip_escape; + static int usb_bus, usb_dev; + static int sniffusb; +- ++ + + /* Error counter. */ + static int any_error; +@@ -142,19 +142,19 @@ + + /* Convert a little endian stored 4 byte value into an unsigned + integer. */ +-static unsigned int ++static unsigned int + convert_le_u32 (const unsigned char *buf) + { +- return buf[0] | (buf[1] << 8) | (buf[2] << 16) | (buf[3] << 24); ++ return buf[0] | (buf[1] << 8) | (buf[2] << 16) | ((unsigned int)buf[3] << 24); + } + + + /* Convert a little endian stored 2 byte value into an unsigned + integer. */ +-static unsigned int ++static unsigned int + convert_le_u16 (const unsigned char *buf) + { +- return buf[0] | (buf[1] << 8); ++ return buf[0] | (buf[1] << 8); + } + + +@@ -182,7 +182,7 @@ + putchar ('\n'); + } + +- ++ + static void + print_p2r_header (const char *name, const unsigned char *msg, size_t msglen) + { +@@ -359,7 +359,7 @@ + { + char buf[100]; + +- snprintf (buf, sizeof buf, "Unknown PC_to_RDR command 0x%02X", ++ snprintf (buf, sizeof buf, "Unknown PC_to_RDR command 0x%02X", + msglen? msg[0]:0); + print_p2r_header (buf, msg, msglen); + if (msglen < 10) +@@ -466,7 +466,7 @@ + msg[9] == 3? " (stopped)":""); + print_pr_data (msg, msglen, 10); + } +- ++ + + static void + print_r2p_parameters (const unsigned char *msg, size_t msglen) +@@ -527,7 +527,7 @@ + { + char buf[100]; + +- snprintf (buf, sizeof buf, "Unknown RDR_to_PC command 0x%02X", ++ snprintf (buf, sizeof buf, "Unknown RDR_to_PC command 0x%02X", + msglen? msg[0]:0); + print_r2p_header (buf, msg, msglen); + if (msglen < 10) +@@ -571,7 +571,7 @@ + { + if (!databuffer.count) + return; +- ++ + if (verbose) + printf ("Address: %s\n", databuffer.address); + if (databuffer.is_bi) +@@ -684,7 +684,7 @@ + p = strtok (NULL, " "); + if (!p) + return; /* No data length. */ +- ++ + datatag = strtok (NULL, " "); + if (datatag && *datatag == '=') + { +@@ -707,10 +707,10 @@ + return; + p = strtok (NULL, " \t"); + if (!p) +- return; ++ return; + p = strtok (NULL, " \t"); + if (!p) +- return; ++ return; + + if (hexdigitp (p[0]) && hexdigitp (p[1]) + && hexdigitp (p[2]) && hexdigitp (p[3]) +@@ -718,7 +718,7 @@ + { + size_t length; + unsigned int value; +- ++ + length = databuffer.count; + while ((p=strtok (NULL, " \t"))) + { +@@ -791,7 +791,7 @@ + } + + +-int ++int + main (int argc, char **argv) + { + int last_argc = -1; +@@ -845,7 +845,7 @@ + sniffusb = 1; + argc--; argv++; + } +- } ++ } + + if (argc && sniffusb) + die ("no arguments expected when using --sniffusb\n"); +@@ -855,14 +855,14 @@ + if (argc == 1) + { + const char *s = strchr (argv[0], ':'); +- ++ + usb_bus = atoi (argv[0]); + if (s) + usb_dev = atoi (s+1); + if (usb_bus < 1 || usb_bus > 999 || usb_dev < 1 || usb_dev > 999) + die ("invalid bus:dev specified"); + } +- ++ + + signal (SIGPIPE, SIG_IGN); + diff -Nru gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1 gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1 --- gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1 2011-08-24 10:25:36.000000000 +0000 @@ -0,0 +1,893 @@ +Description: Upstream changes introduced in version 2.0.17-2ubuntu1 + This patch has been created by dpkg-source during the package build. + Here's the last changelog entry, hopefully it gives details on why + those changes were made: + . + gnupg2 (2.0.17-2ubuntu1) oneiric; urgency=low + . + * Merge from debian unstable. Remaining changes: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + . debian/gnupg2.dev: udev rules to set ACLs on SCM smartcard readers. + . debian/rules: Call dh_installudev. + - debian/control: Rename Vcs-* to XS-Debian-Vcs-*. + . + The person named in the Author field signed this changelog entry. +Author: Marc Deslauriers + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- gnupg2-2.0.17.orig/config.guess ++++ gnupg2-2.0.17/config.guess +@@ -1,10 +1,10 @@ + #! /bin/sh + # Attempt to guess a canonical system name. + # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +-# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 +-# Free Software Foundation, Inc. ++# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, ++# 2011 Free Software Foundation, Inc. + +-timestamp='2009-12-30' ++timestamp='2011-05-11' + + # This file is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by +@@ -57,7 +57,7 @@ GNU config.guess ($timestamp) + + Originally written by Per Bothner. + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free ++2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free + Software Foundation, Inc. + + This is free software; see the source for copying conditions. There is NO +@@ -181,7 +181,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ + fi + ;; + *) +- os=netbsd ++ os=netbsd + ;; + esac + # The OS release +@@ -224,7 +224,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) +- UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ++ UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on +@@ -270,7 +270,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` +- exit ;; ++ # Reset EXIT trap before exiting to avoid spurious non-zero exit code. ++ exitcode=$? ++ trap '' 0 ++ exit $exitcode ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead +@@ -296,7 +299,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ + echo s390-ibm-zvmoe + exit ;; + *:OS400:*:*) +- echo powerpc-ibm-os400 ++ echo powerpc-ibm-os400 + exit ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} +@@ -395,23 +398,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:$ + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) +- echo m68k-atari-mint${UNAME_RELEASE} ++ echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} +- exit ;; ++ exit ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) +- echo m68k-atari-mint${UNAME_RELEASE} ++ echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) +- echo m68k-milan-mint${UNAME_RELEASE} +- exit ;; ++ echo m68k-milan-mint${UNAME_RELEASE} ++ exit ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) +- echo m68k-hades-mint${UNAME_RELEASE} +- exit ;; ++ echo m68k-hades-mint${UNAME_RELEASE} ++ exit ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) +- echo m68k-unknown-mint${UNAME_RELEASE} +- exit ;; ++ echo m68k-unknown-mint${UNAME_RELEASE} ++ exit ;; + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} + exit ;; +@@ -481,8 +484,8 @@ EOF + echo m88k-motorola-sysv3 + exit ;; + AViiON:dgux:*:*) +- # DG/UX returns AViiON for all architectures +- UNAME_PROCESSOR=`/usr/bin/uname -p` ++ # DG/UX returns AViiON for all architectures ++ UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ +@@ -495,7 +498,7 @@ EOF + else + echo i586-dg-dgux${UNAME_RELEASE} + fi +- exit ;; ++ exit ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit ;; +@@ -552,7 +555,7 @@ EOF + echo rs6000-ibm-aix3.2 + fi + exit ;; +- *:AIX:*:[456]) ++ *:AIX:*:[4567]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 +@@ -595,52 +598,52 @@ EOF + 9000/[678][0-9][0-9]) + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` +- sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` +- case "${sc_cpu_version}" in +- 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 +- 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 +- 532) # CPU_PA_RISC2_0 +- case "${sc_kernel_bits}" in +- 32) HP_ARCH="hppa2.0n" ;; +- 64) HP_ARCH="hppa2.0w" ;; ++ sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` ++ case "${sc_cpu_version}" in ++ 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 ++ 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 ++ 532) # CPU_PA_RISC2_0 ++ case "${sc_kernel_bits}" in ++ 32) HP_ARCH="hppa2.0n" ;; ++ 64) HP_ARCH="hppa2.0w" ;; + '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 +- esac ;; +- esac ++ esac ;; ++ esac + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build +- sed 's/^ //' << EOF >$dummy.c ++ sed 's/^ //' << EOF >$dummy.c ++ ++ #define _HPUX_SOURCE ++ #include ++ #include + +- #define _HPUX_SOURCE +- #include +- #include +- +- int main () +- { +- #if defined(_SC_KERNEL_BITS) +- long bits = sysconf(_SC_KERNEL_BITS); +- #endif +- long cpu = sysconf (_SC_CPU_VERSION); +- +- switch (cpu) +- { +- case CPU_PA_RISC1_0: puts ("hppa1.0"); break; +- case CPU_PA_RISC1_1: puts ("hppa1.1"); break; +- case CPU_PA_RISC2_0: +- #if defined(_SC_KERNEL_BITS) +- switch (bits) +- { +- case 64: puts ("hppa2.0w"); break; +- case 32: puts ("hppa2.0n"); break; +- default: puts ("hppa2.0"); break; +- } break; +- #else /* !defined(_SC_KERNEL_BITS) */ +- puts ("hppa2.0"); break; +- #endif +- default: puts ("hppa1.0"); break; +- } +- exit (0); +- } ++ int main () ++ { ++ #if defined(_SC_KERNEL_BITS) ++ long bits = sysconf(_SC_KERNEL_BITS); ++ #endif ++ long cpu = sysconf (_SC_CPU_VERSION); ++ ++ switch (cpu) ++ { ++ case CPU_PA_RISC1_0: puts ("hppa1.0"); break; ++ case CPU_PA_RISC1_1: puts ("hppa1.1"); break; ++ case CPU_PA_RISC2_0: ++ #if defined(_SC_KERNEL_BITS) ++ switch (bits) ++ { ++ case 64: puts ("hppa2.0w"); break; ++ case 32: puts ("hppa2.0n"); break; ++ default: puts ("hppa2.0"); break; ++ } break; ++ #else /* !defined(_SC_KERNEL_BITS) */ ++ puts ("hppa2.0"); break; ++ #endif ++ default: puts ("hppa1.0"); break; ++ } ++ exit (0); ++ } + EOF + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa +@@ -731,22 +734,22 @@ EOF + exit ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd +- exit ;; ++ exit ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi +- exit ;; ++ exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd +- exit ;; ++ exit ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd +- exit ;; ++ exit ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd +- exit ;; ++ exit ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; +@@ -770,14 +773,14 @@ EOF + exit ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` +- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` +- FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` +- echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" +- exit ;; ++ FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` ++ FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` ++ echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" ++ exit ;; + 5000:UNIX_System_V:4.*:*) +- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` +- FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` +- echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" ++ FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` ++ FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` ++ echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} +@@ -805,14 +808,14 @@ EOF + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; + i*:windows32*:*) +- # uname -m includes "-pc" on this system. +- echo ${UNAME_MACHINE}-mingw32 ++ # uname -m includes "-pc" on this system. ++ echo ${UNAME_MACHINE}-mingw32 + exit ;; + i*:PW*:*) + echo ${UNAME_MACHINE}-pc-pw32 + exit ;; + *:Interix*:*) +- case ${UNAME_MACHINE} in ++ case ${UNAME_MACHINE} in + x86) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; +@@ -867,7 +870,7 @@ EOF + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; +- esac ++ esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi + echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} +@@ -879,7 +882,13 @@ EOF + then + echo ${UNAME_MACHINE}-unknown-linux-gnu + else +- echo ${UNAME_MACHINE}-unknown-linux-gnueabi ++ if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ ++ | grep -q __ARM_PCS_VFP ++ then ++ echo ${UNAME_MACHINE}-unknown-linux-gnueabi ++ else ++ echo ${UNAME_MACHINE}-unknown-linux-gnueabihf ++ fi + fi + exit ;; + avr32*:Linux:*:*) +@@ -892,7 +901,7 @@ EOF + echo crisv32-axis-linux-gnu + exit ;; + frv:Linux:*:*) +- echo frv-unknown-linux-gnu ++ echo frv-unknown-linux-gnu + exit ;; + i*86:Linux:*:*) + LIBC=gnu +@@ -960,7 +969,7 @@ EOF + echo ${UNAME_MACHINE}-ibm-linux + exit ;; + sh64*:Linux:*:*) +- echo ${UNAME_MACHINE}-unknown-linux-gnu ++ echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + sh*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu +@@ -968,6 +977,9 @@ EOF + sparc:Linux:*:* | sparc64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; ++ tile*:Linux:*:*) ++ echo ${UNAME_MACHINE}-tilera-linux-gnu ++ exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-gnu + exit ;; +@@ -975,7 +987,7 @@ EOF + echo x86_64-unknown-linux-gnu + exit ;; + xtensa*:Linux:*:*) +- echo ${UNAME_MACHINE}-unknown-linux-gnu ++ echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. +@@ -984,11 +996,11 @@ EOF + echo i386-sequent-sysv4 + exit ;; + i*86:UNIX_SV:4.2MP:2.*) +- # Unixware is an offshoot of SVR4, but it has its own version +- # number series starting with 2... +- # I am not positive that other SVR4 systems won't match this, ++ # Unixware is an offshoot of SVR4, but it has its own version ++ # number series starting with 2... ++ # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. +- # Use sysv4.2uw... so that sysv4* matches it. ++ # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit ;; + i*86:OS/2:*:*) +@@ -1020,7 +1032,7 @@ EOF + fi + exit ;; + i*86:*:5:[678]*) +- # UnixWare 7.x, OpenUNIX and OpenServer 6. ++ # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; +@@ -1048,13 +1060,13 @@ EOF + exit ;; + pc:*:*:*) + # Left here for compatibility: +- # uname -m prints for DJGPP always 'pc', but it prints nothing about +- # the processor, so we play safe by assuming i586. ++ # uname -m prints for DJGPP always 'pc', but it prints nothing about ++ # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configury will decide that + # this is a cross-build. + echo i586-pc-msdosdjgpp +- exit ;; ++ exit ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit ;; +@@ -1089,8 +1101,8 @@ EOF + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) +- /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ +- && { echo i486-ncr-sysv4; exit; } ;; ++ /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ ++ && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ +@@ -1133,10 +1145,10 @@ EOF + echo ns32k-sni-sysv + fi + exit ;; +- PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort +- # says +- echo i586-unisys-sysv4 +- exit ;; ++ PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort ++ # says ++ echo i586-unisys-sysv4 ++ exit ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm +@@ -1162,11 +1174,11 @@ EOF + exit ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then +- echo mips-nec-sysv${UNAME_RELEASE} ++ echo mips-nec-sysv${UNAME_RELEASE} + else +- echo mips-unknown-sysv${UNAME_RELEASE} ++ echo mips-unknown-sysv${UNAME_RELEASE} + fi +- exit ;; ++ exit ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit ;; +@@ -1231,6 +1243,9 @@ EOF + *:QNX:*:4*) + echo i386-pc-qnx + exit ;; ++ NEO-?:NONSTOP_KERNEL:*:*) ++ echo neo-tandem-nsk${UNAME_RELEASE} ++ exit ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; +@@ -1276,13 +1291,13 @@ EOF + echo pdp10-unknown-its + exit ;; + SEI:*:*:SEIUX) +- echo mips-sei-seiux${UNAME_RELEASE} ++ echo mips-sei-seiux${UNAME_RELEASE} + exit ;; + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + *:*VMS:*:*) +- UNAME_MACHINE=`(uname -p) 2>/dev/null` ++ UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms ; exit ;; + I*) echo ia64-dec-vms ; exit ;; +@@ -1322,11 +1337,11 @@ main () + #include + printf ("m68k-sony-newsos%s\n", + #ifdef NEWSOS4 +- "4" ++ "4" + #else +- "" ++ "" + #endif +- ); exit (0); ++ ); exit (0); + #endif + #endif + +--- gnupg2-2.0.17.orig/config.sub ++++ gnupg2-2.0.17/config.sub +@@ -1,10 +1,10 @@ + #! /bin/sh + # Configuration validation subroutine script. + # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +-# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 +-# Free Software Foundation, Inc. ++# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, ++# 2011 Free Software Foundation, Inc. + +-timestamp='2010-01-22' ++timestamp='2011-03-23' + + # This file is (in principle) common to ALL GNU software. + # The presence of a machine in this file suggests that SOME GNU software +@@ -76,7 +76,7 @@ version="\ + GNU config.sub ($timestamp) + + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free ++2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free + Software Foundation, Inc. + + This is free software; see the source for copying conditions. There is NO +@@ -124,8 +124,9 @@ esac + # Here we must recognize all the valid KERNEL-OS combinations. + maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` + case $maybe_os in +- nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \ +- uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \ ++ nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ ++ linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ ++ knetbsd*-gnu* | netbsd*-gnu* | \ + kopensolaris*-gnu* | \ + storm-chaos* | os2-emx* | rtmk-nova*) + os=-$maybe_os +@@ -157,8 +158,8 @@ case $os in + os= + basic_machine=$1 + ;; +- -bluegene*) +- os=-cnk ++ -bluegene*) ++ os=-cnk + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= +@@ -174,10 +175,10 @@ case $os in + os=-chorusos + basic_machine=$1 + ;; +- -chorusrdb) +- os=-chorusrdb ++ -chorusrdb) ++ os=-chorusrdb + basic_machine=$1 +- ;; ++ ;; + -hiux*) + os=-hiuxwe2 + ;; +@@ -282,11 +283,13 @@ case $basic_machine in + | moxie \ + | mt \ + | msp430 \ ++ | nds32 | nds32le | nds32be \ + | nios | nios2 \ + | ns16k | ns32k \ ++ | open8 \ + | or32 \ + | pdp10 | pdp11 | pj | pjl \ +- | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ ++ | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pyramid \ + | rx \ + | score \ +@@ -294,15 +297,24 @@ case $basic_machine in + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ +- | spu | strongarm \ +- | tahoe | thumb | tic4x | tic80 | tron \ ++ | spu \ ++ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ + | ubicom32 \ + | v850 | v850e \ + | we32k \ +- | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ ++ | x86 | xc16x | xstormy16 | xtensa \ + | z8k | z80) + basic_machine=$basic_machine-unknown + ;; ++ c54x) ++ basic_machine=tic54x-unknown ++ ;; ++ c55x) ++ basic_machine=tic55x-unknown ++ ;; ++ c6x) ++ basic_machine=tic6x-unknown ++ ;; + m6811 | m68hc11 | m6812 | m68hc12 | picochip) + # Motorola 68HC11/12. + basic_machine=$basic_machine-unknown +@@ -314,6 +326,18 @@ case $basic_machine in + basic_machine=mt-unknown + ;; + ++ strongarm | thumb | xscale) ++ basic_machine=arm-unknown ++ ;; ++ ++ xscaleeb) ++ basic_machine=armeb-unknown ++ ;; ++ ++ xscaleel) ++ basic_machine=armel-unknown ++ ;; ++ + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. +@@ -334,7 +358,7 @@ case $basic_machine in + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ + | bfin-* | bs2000-* \ +- | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ ++ | c[123]* | c30-* | [cjt]90-* | c4x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ + | elxsi-* \ +@@ -368,26 +392,28 @@ case $basic_machine in + | mmix-* \ + | mt-* \ + | msp430-* \ ++ | nds32-* | nds32le-* | nds32be-* \ + | nios-* | nios2-* \ + | none-* | np1-* | ns16k-* | ns32k-* \ ++ | open8-* \ + | orion-* \ + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ +- | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ ++ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pyramid-* \ + | romp-* | rs6000-* | rx-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ + | sparclite-* \ +- | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ +- | tahoe-* | thumb-* \ ++ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ ++ | tahoe-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tile-* | tilegx-* \ + | tron-* \ + | ubicom32-* \ + | v850-* | v850e-* | vax-* \ + | we32k-* \ +- | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ ++ | x86-* | x86_64-* | xc16x-* | xps100-* \ + | xstormy16-* | xtensa*-* \ + | ymp-* \ + | z8k-* | z80-*) +@@ -412,7 +438,7 @@ case $basic_machine in + basic_machine=a29k-amd + os=-udi + ;; +- abacus) ++ abacus) + basic_machine=abacus-unknown + ;; + adobe68k) +@@ -482,11 +508,20 @@ case $basic_machine in + basic_machine=powerpc-ibm + os=-cnk + ;; ++ c54x-*) ++ basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ++ ;; ++ c55x-*) ++ basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ++ ;; ++ c6x-*) ++ basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ++ ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; +- cegcc) ++ cegcc) + basic_machine=arm-unknown + os=-cegcc + ;; +@@ -518,7 +553,7 @@ case $basic_machine in + basic_machine=craynv-cray + os=-unicosmp + ;; +- cr16) ++ cr16 | cr16-*) + basic_machine=cr16-unknown + os=-elf + ;; +@@ -734,7 +769,7 @@ case $basic_machine in + basic_machine=ns32k-utek + os=-sysv + ;; +- microblaze) ++ microblaze) + basic_machine=microblaze-xilinx + ;; + mingw32) +@@ -841,6 +876,12 @@ case $basic_machine in + np1) + basic_machine=np1-gould + ;; ++ neo-tandem) ++ basic_machine=neo-tandem ++ ;; ++ nse-tandem) ++ basic_machine=nse-tandem ++ ;; + nsr-tandem) + basic_machine=nsr-tandem + ;; +@@ -923,9 +964,10 @@ case $basic_machine in + ;; + power) basic_machine=power-ibm + ;; +- ppc) basic_machine=powerpc-unknown ++ ppc | ppcbe) basic_machine=powerpc-unknown + ;; +- ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ++ ppc-* | ppcbe-*) ++ basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle | ppc-le | powerpc-little) + basic_machine=powerpcle-unknown +@@ -1019,6 +1061,9 @@ case $basic_machine in + basic_machine=i860-stratus + os=-sysv4 + ;; ++ strongarm-* | thumb-*) ++ basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ++ ;; + sun2) + basic_machine=m68000-sun + ;; +@@ -1075,20 +1120,8 @@ case $basic_machine in + basic_machine=t90-cray + os=-unicos + ;; +- tic54x | c54x*) +- basic_machine=tic54x-unknown +- os=-coff +- ;; +- tic55x | c55x*) +- basic_machine=tic55x-unknown +- os=-coff +- ;; +- tic6x | c6x*) +- basic_machine=tic6x-unknown +- os=-coff +- ;; +- # This must be matched before tile*. +- tilegx*) ++ # This must be matched before tile*. ++ tilegx*) + basic_machine=tilegx-unknown + os=-linux-gnu + ;; +@@ -1163,6 +1196,9 @@ case $basic_machine in + xps | xps100) + basic_machine=xps100-honeywell + ;; ++ xscale-* | xscalee[bl]-*) ++ basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ++ ;; + ymp) + basic_machine=ymp-cray + os=-unicos +@@ -1260,11 +1296,11 @@ esac + if [ x"$os" != x"" ] + then + case $os in +- # First match some system type aliases +- # that might get confused with valid system types. ++ # First match some system type aliases ++ # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. +- -auroraux) +- os=-auroraux ++ -auroraux) ++ os=-auroraux + ;; + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` +@@ -1301,7 +1337,8 @@ case $os in + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -chorusos* | -chorusrdb* | -cegcc* \ + | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ +- | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \ ++ | -mingw32* | -linux-gnu* | -linux-android* \ ++ | -linux-newlib* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ + | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ +@@ -1348,7 +1385,7 @@ case $os in + -opened*) + os=-openedition + ;; +- -os400*) ++ -os400*) + os=-os400 + ;; + -wince*) +@@ -1397,7 +1434,7 @@ case $os in + -sinix*) + os=-sysv4 + ;; +- -tpf*) ++ -tpf*) + os=-tpf + ;; + -triton*) +@@ -1442,8 +1479,8 @@ case $os in + -dicos*) + os=-dicos + ;; +- -nacl*) +- ;; ++ -nacl*) ++ ;; + -none) + ;; + *) +@@ -1466,10 +1503,10 @@ else + # system, and we'll never get to this point. + + case $basic_machine in +- score-*) ++ score-*) + os=-elf + ;; +- spu-*) ++ spu-*) + os=-elf + ;; + *-acorn) +@@ -1481,8 +1518,17 @@ case $basic_machine in + arm*-semi) + os=-aout + ;; +- c4x-* | tic4x-*) +- os=-coff ++ c4x-* | tic4x-*) ++ os=-coff ++ ;; ++ tic54x-*) ++ os=-coff ++ ;; ++ tic55x-*) ++ os=-coff ++ ;; ++ tic6x-*) ++ os=-coff + ;; + # This must come before the *-dec entry. + pdp10-*) +@@ -1509,7 +1555,7 @@ case $basic_machine in + m68*-cisco) + os=-aout + ;; +- mep-*) ++ mep-*) + os=-elf + ;; + mips*-cisco) +@@ -1536,7 +1582,7 @@ case $basic_machine in + *-ibm) + os=-aix + ;; +- *-knuth) ++ *-knuth) + os=-mmixware + ;; + *-wec) diff -Nru gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1.12.04.1 gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1.12.04.1 --- gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1.12.04.1 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/debian-changes-2.0.17-2ubuntu1.12.04.1 2012-08-14 17:17:41.000000000 +0000 @@ -0,0 +1,386 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + gnupg2 (2.0.17-2ubuntu2.12.04.1) precise-security; urgency=low + . + * debian/patches/long-keyids.diff: Use the longest key ID available + when requesting a key from a key server. +Author: Marc Deslauriers + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- gnupg2-2.0.17.orig/config.guess ++++ gnupg2-2.0.17/config.guess +@@ -2,9 +2,9 @@ + # Attempt to guess a canonical system name. + # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, + # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, +-# 2011 Free Software Foundation, Inc. ++# 2011, 2012 Free Software Foundation, Inc. + +-timestamp='2011-05-11' ++timestamp='2012-02-10' + + # This file is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by +@@ -17,9 +17,7 @@ timestamp='2011-05-11' + # General Public License for more details. + # + # You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +-# 02110-1301, USA. ++# along with this program; if not, see . + # + # As a special exception to the GNU General Public License, if you + # distribute this file as part of a program that contains a +@@ -57,8 +55,8 @@ GNU config.guess ($timestamp) + + Originally written by Per Bothner. + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free +-Software Foundation, Inc. ++2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 ++Free Software Foundation, Inc. + + This is free software; see the source for copying conditions. There is NO + warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." +@@ -145,7 +143,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` | + case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or +- # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, ++ # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward +@@ -792,13 +790,12 @@ EOF + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:FreeBSD:*:*) +- case ${UNAME_MACHINE} in +- pc98) +- echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; ++ UNAME_PROCESSOR=`/usr/bin/uname -p` ++ case ${UNAME_PROCESSOR} in + amd64) + echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + *) +- echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; ++ echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + esac + exit ;; + i*:CYGWIN*:*) +@@ -807,6 +804,9 @@ EOF + *:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; ++ i*:MSYS*:*) ++ echo ${UNAME_MACHINE}-pc-msys ++ exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 +@@ -861,6 +861,13 @@ EOF + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; ++ aarch64:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; ++ aarch64_be:Linux:*:*) ++ UNAME_MACHINE=aarch64_be ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; +@@ -895,13 +902,16 @@ EOF + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + cris:Linux:*:*) +- echo cris-axis-linux-gnu ++ echo ${UNAME_MACHINE}-axis-linux-gnu + exit ;; + crisv32:Linux:*:*) +- echo crisv32-axis-linux-gnu ++ echo ${UNAME_MACHINE}-axis-linux-gnu + exit ;; + frv:Linux:*:*) +- echo frv-unknown-linux-gnu ++ echo ${UNAME_MACHINE}-unknown-linux-gnu ++ exit ;; ++ hexagon:Linux:*:*) ++ echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + i*86:Linux:*:*) + LIBC=gnu +@@ -943,7 +953,7 @@ EOF + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + or32:Linux:*:*) +- echo or32-unknown-linux-gnu ++ echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + padre:Linux:*:*) + echo sparc-unknown-linux-gnu +@@ -978,13 +988,13 @@ EOF + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + tile*:Linux:*:*) +- echo ${UNAME_MACHINE}-tilera-linux-gnu ++ echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-gnu + exit ;; + x86_64:Linux:*:*) +- echo x86_64-unknown-linux-gnu ++ echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + xtensa*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu +@@ -1315,6 +1325,9 @@ EOF + i*86:AROS:*:*) + echo ${UNAME_MACHINE}-pc-aros + exit ;; ++ x86_64:VMkernel:*:*) ++ echo ${UNAME_MACHINE}-unknown-esx ++ exit ;; + esac + + #echo '(No uname command or uname output not recognized.)' 1>&2 +--- gnupg2-2.0.17.orig/config.sub ++++ gnupg2-2.0.17/config.sub +@@ -2,9 +2,9 @@ + # Configuration validation subroutine script. + # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, + # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, +-# 2011 Free Software Foundation, Inc. ++# 2011, 2012 Free Software Foundation, Inc. + +-timestamp='2011-03-23' ++timestamp='2012-02-10' + + # This file is (in principle) common to ALL GNU software. + # The presence of a machine in this file suggests that SOME GNU software +@@ -21,9 +21,7 @@ timestamp='2011-03-23' + # GNU General Public License for more details. + # + # You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +-# 02110-1301, USA. ++# along with this program; if not, see . + # + # As a special exception to the GNU General Public License, if you + # distribute this file as part of a program that contains a +@@ -76,8 +74,8 @@ version="\ + GNU config.sub ($timestamp) + + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, +-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free +-Software Foundation, Inc. ++2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 ++Free Software Foundation, Inc. + + This is free software; see the source for copying conditions. There is NO + warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." +@@ -132,6 +130,10 @@ case $maybe_os in + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; ++ android-linux) ++ os=-linux-android ++ basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ++ ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] +@@ -247,17 +249,22 @@ case $basic_machine in + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ ++ | aarch64 | aarch64_be \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ + | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ ++ | be32 | be64 \ + | bfin \ + | c4x | clipper \ + | d10v | d30v | dlx | dsp16xx \ ++ | epiphany \ + | fido | fr30 | frv \ + | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ ++ | hexagon \ + | i370 | i860 | i960 | ia64 \ + | ip2k | iq2000 \ ++ | le32 | le64 \ + | lm32 \ + | m32c | m32r | m32rle | m68000 | m68k | m88k \ + | maxq | mb | microblaze | mcore | mep | metag \ +@@ -291,7 +298,7 @@ case $basic_machine in + | pdp10 | pdp11 | pj | pjl \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pyramid \ +- | rx \ ++ | rl78 | rx \ + | score \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ +@@ -300,7 +307,7 @@ case $basic_machine in + | spu \ + | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ + | ubicom32 \ +- | v850 | v850e \ ++ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ + | we32k \ + | x86 | xc16x | xstormy16 | xtensa \ + | z8k | z80) +@@ -315,8 +322,7 @@ case $basic_machine in + c6x) + basic_machine=tic6x-unknown + ;; +- m6811 | m68hc11 | m6812 | m68hc12 | picochip) +- # Motorola 68HC11/12. ++ m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) + basic_machine=$basic_machine-unknown + os=-none + ;; +@@ -329,7 +335,10 @@ case $basic_machine in + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; +- ++ xgate) ++ basic_machine=$basic_machine-unknown ++ os=-none ++ ;; + xscaleeb) + basic_machine=armeb-unknown + ;; +@@ -352,11 +361,13 @@ case $basic_machine in + # Recognize the basic CPU types with company name. + 580-* \ + | a29k-* \ ++ | aarch64-* | aarch64_be-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ ++ | be32-* | be64-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* \ + | clipper-* | craynv-* | cydra-* \ +@@ -365,8 +376,10 @@ case $basic_machine in + | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ + | h8300-* | h8500-* \ + | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ ++ | hexagon-* \ + | i*86-* | i860-* | i960-* | ia64-* \ + | ip2k-* | iq2000-* \ ++ | le32-* | le64-* \ + | lm32-* \ + | m32c-* | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ +@@ -400,7 +413,7 @@ case $basic_machine in + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pyramid-* \ +- | romp-* | rs6000-* | rx-* \ ++ | rl78-* | romp-* | rs6000-* | rx-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ +@@ -408,10 +421,11 @@ case $basic_machine in + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | tahoe-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ +- | tile-* | tilegx-* \ ++ | tile*-* \ + | tron-* \ + | ubicom32-* \ +- | v850-* | v850e-* | vax-* \ ++ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ ++ | vax-* \ + | we32k-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ + | xstormy16-* | xtensa*-* \ +@@ -711,7 +725,6 @@ case $basic_machine in + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; +-# I'm not sure what "Sysv32" means. Should this be sysv3.2? + i*86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 +@@ -808,10 +821,18 @@ case $basic_machine in + ms1-*) + basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + ;; ++ msys) ++ basic_machine=i386-pc ++ os=-msys ++ ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; ++ nacl) ++ basic_machine=le32-unknown ++ os=-nacl ++ ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 +@@ -1120,13 +1141,8 @@ case $basic_machine in + basic_machine=t90-cray + os=-unicos + ;; +- # This must be matched before tile*. +- tilegx*) +- basic_machine=tilegx-unknown +- os=-linux-gnu +- ;; + tile*) +- basic_machine=tile-unknown ++ basic_machine=$basic_machine-unknown + os=-linux-gnu + ;; + tx39) +@@ -1336,7 +1352,7 @@ case $os in + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -chorusos* | -chorusrdb* | -cegcc* \ +- | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ ++ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* \ +@@ -1548,9 +1564,6 @@ case $basic_machine in + ;; + m68000-sun) + os=-sunos3 +- # This also exists in the configure program, but was not the +- # default. +- # os=-sunos4 + ;; + m68*-cisco) + os=-aout diff -Nru gnupg2-2.0.17/debian/patches/gnupg2-fix-libgcrypt.diff gnupg2-2.0.17/debian/patches/gnupg2-fix-libgcrypt.diff --- gnupg2-2.0.17/debian/patches/gnupg2-fix-libgcrypt.diff 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/gnupg2-fix-libgcrypt.diff 2011-08-24 10:25:36.000000000 +0000 @@ -0,0 +1,42 @@ +From: Werner Koch +Subject: [PATCH] Fix a for a bug fix in the latest Libgcrypt. + + * pkglue.c (mpi_from_sexp, pk_decrypt): Use GCRYMPI_FMT_USG for + gcry_sexp_nth_mpi. This fixes a problem with a recent bug fix in + Libgcrypt. + +Origin: upstream, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=13290b0e0fcf3a493e4848b29329d56b69bc4dd9 +Last-Update: 2011-07-23 +--- + g10/pkglue.c | 6 +- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/g10/pkglue.c b/g10/pkglue.c +index cbfe21e..5c47511 100644 +--- a/g10/pkglue.c ++++ b/g10/pkglue.c +@@ -34,10 +34,10 @@ mpi_from_sexp (gcry_sexp_t sexp, const char * item) + { + gcry_sexp_t list; + gcry_mpi_t data; +- ++ + list = gcry_sexp_find_token (sexp, item, 0); + assert (list); +- data = gcry_sexp_nth_mpi (list, 1, 0); ++ data = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); + assert (data); + gcry_sexp_release (list); + return data; +@@ -293,7 +293,7 @@ pk_decrypt (int algo, gcry_mpi_t * result, gcry_mpi_t * data, + if (rc) + return rc; + +- *result = gcry_sexp_nth_mpi (s_plain, 0, 0); ++ *result = gcry_sexp_nth_mpi (s_plain, 0, GCRYMPI_FMT_USG); + gcry_sexp_release (s_plain); + if (!*result) + return -1; /* oops */ +-- +1.7.1 + diff -Nru gnupg2-2.0.17/debian/patches/long-keyids.diff gnupg2-2.0.17/debian/patches/long-keyids.diff --- gnupg2-2.0.17/debian/patches/long-keyids.diff 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/long-keyids.diff 2012-08-14 17:11:47.000000000 +0000 @@ -0,0 +1,47 @@ +Description: Use the longest key ID available when requesting a key from + a key server +Origin: upstream, http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=3005b0a6f43e53bed2f9b6fba7ad1205bdb29bc5 +Bug: https://bugs.g10code.com/gnupg/issue1340 + +Index: gnupg2-2.0.17/keyserver/gpgkeys_hkp.c +=================================================================== +--- gnupg2-2.0.17.orig/keyserver/gpgkeys_hkp.c 2011-01-09 17:06:17.000000000 -0500 ++++ gnupg2-2.0.17/keyserver/gpgkeys_hkp.c 2012-07-24 10:40:43.391301471 -0400 +@@ -241,9 +241,10 @@ + get_key(char *getkey) + { + CURLcode res; +- char request[MAX_URL+60]; ++ char request[MAX_URL+92]; + char *offset; + struct curl_writer_ctx ctx; ++ size_t keylen; + + memset(&ctx,0,sizeof(ctx)); + +@@ -269,14 +270,19 @@ + strcat(request,port); + strcat(request,opt->path); + /* request is MAX_URL+55 bytes long - MAX_URL covers the whole URL, +- including any supplied path. The 60 overcovers this /pks/... etc +- string plus the 8 bytes of key id */ ++ including any supplied path. The 92 overcovers this /pks/... etc ++ string plus the 8, 16, or 40 bytes of key id/fingerprint */ + append_path(request,"/pks/lookup?op=get&options=mr&search=0x"); + +- /* fingerprint or long key id. Take the last 8 characters and treat +- it like a short key id */ +- if(strlen(getkey)>8) +- offset=&getkey[strlen(getkey)-8]; ++ /* send only fingerprint, long key id, or short keyid. see: ++ https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-3.1.1.1 */ ++ keylen = strlen(getkey); ++ if(keylen >= 40) ++ offset=&getkey[keylen-40]; ++ else if(keylen >= 16) ++ offset=&getkey[keylen-16]; ++ else if(keylen >= 8) ++ offset=&getkey[keylen-8]; + else + offset=getkey; + diff -Nru gnupg2-2.0.17/debian/patches/series gnupg2-2.0.17/debian/patches/series --- gnupg2-2.0.17/debian/patches/series 2011-02-13 21:34:42.000000000 +0000 +++ gnupg2-2.0.17/debian/patches/series 2015-03-25 20:37:49.000000000 +0000 @@ -1,2 +1,17 @@ 01-gnupg2-rename.diff debian-changes-2.0.17-2 +debian-changes-2.0.17-2ubuntu1 +gnupg2-fix-libgcrypt.diff +long-keyids.diff +debian-changes-2.0.17-2ubuntu1.12.04.1 +CVE-2012-6085.patch +CVE-2013-4351.patch +CVE-2013-4402.patch +CVE-2014-4617.patch +0001-Screen-keyserver-responses.patch +0002-Make-screening-of-keyserver-result-work-with-multi-k.patch +0003-Add-kbnode_t-for-easier-backporting.patch +0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch +Add-build-and-runtime-support-for-larger-RSA-key.patch +CVE-2015-1606.patch +CVE-2015-1607.patch diff -Nru gnupg2-2.0.17/debian/rules gnupg2-2.0.17/debian/rules --- gnupg2-2.0.17/debian/rules 2011-02-13 21:33:38.000000000 +0000 +++ gnupg2-2.0.17/debian/rules 2015-03-25 20:45:53.000000000 +0000 @@ -50,7 +50,8 @@ --prefix=/usr --with-included-gettext \ --with-zlib=/usr --infodir=/usr/share/info/ \ --mandir='$${prefix}/share/man' --libexecdir=/usr/lib/gnupg2 \ - --sysconfdir=/etc --enable-gpg --enable-symcryptrun + --sysconfdir=/etc --enable-gpg --enable-symcryptrun \ + --enable-large-secmem touch config-stamp @@ -115,6 +116,7 @@ dh_installexamples -a dh_installinfo -a dh_installchangelogs -a + dh_installudev -a dh_lintian -a $(install_file) debian/gnupg-agent.xsession debian/gnupg-agent/etc/X11/Xsession.d/90gpg-agent