diffstat of debian/ for gnupg2_2.2.8-3 gnupg2_2.2.8-3ubuntu1.1 changelog | 209 ++++++++ control | 3 patches/CVE-2018-1000858.patch | 712 ++++++++++++++++++++++++++++++ patches/dirmngr-honor-http-proxy.patch | 18 patches/series | 2 systemd-environment-generator/90gpg-agent | 2 6 files changed, 945 insertions(+), 1 deletion(-) diff -Nru gnupg2-2.2.8/debian/changelog gnupg2-2.2.8/debian/changelog --- gnupg2-2.2.8/debian/changelog 2018-06-21 16:18:14.000000000 +0000 +++ gnupg2-2.2.8/debian/changelog 2019-01-10 13:01:09.000000000 +0000 @@ -1,3 +1,24 @@ +gnupg2 (2.2.8-3ubuntu1.1) cosmic-security; urgency=medium + + * SECURITY UPDATE: CSRF in dirmngr + - debian/patches/CVE-2018-1000858.patch: don't follow a redirect in + dirmngr/Makefile.am, dirmngr/http.c, dirmngr/http.h, + dirmngr/ks-engine-hkp.c, dirmngr/ks-engine-http.c, + dirmngr/t-http-basic.c, dirmngr/t-http.c. + - CVE-2018-1000858 + + -- Marc Deslauriers Thu, 10 Jan 2019 08:01:09 -0500 + +gnupg2 (2.2.8-3ubuntu1) cosmic; urgency=medium + + * Sync with Debian. Remaining changes: + - Honor http_proxy= environment variables by default in the systemd + user session dirmngr service. LP: #1625848 + (debian/patches/dirmngr-honor-http-proxy.patch) + - Export GPG_AGENT_INFO in the systemd-environment-generator too. + + -- Jeremy Bicha Mon, 03 Sep 2018 20:43:20 -0400 + gnupg2 (2.2.8-3) unstable; urgency=medium * Ensure arch: all gnupg package supports binMNUs @@ -19,6 +40,23 @@ -- Daniel Kahn Gillmor Wed, 20 Jun 2018 06:56:09 -0400 +gnupg2 (2.2.8-1ubuntu1) cosmic; urgency=low + + * Merge from Debian unstable to fix CVE-2018-12020. Remaining changes: + - Honor http_proxy= environment variables by default in the systemd + user session dirmngr service. LP: #1625848 + (debian/patches/dirmngr-honor-http-proxy.patch) + - Export GPG_AGENT_INFO in the systemd-environment-generator too. + * dropped due to applied in debian: + - debian/gnupg2.udev: + - udev rules to set ACLs on SCM smartcard readers. + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. (applied in scdaemon in 2.1.11-7+exp1) + * dropped (no longer needed): + - Add breaks for software-properties-common at 0.96.24.3 or lower. + + -- Steve Beattie Wed, 13 Jun 2018 11:44:59 -0700 + gnupg2 (2.2.8-1) unstable; urgency=medium * New upstream release @@ -63,6 +101,25 @@ -- Daniel Kahn Gillmor Mon, 05 Feb 2018 23:07:21 -0500 +gnupg2 (2.2.4-1ubuntu1) bionic; urgency=medium + + * Merge from Debian unstable, remaining changes: + - debian/gnupg2.udev: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + - udev rules to set ACLs on SCM smartcard readers. + - Add breaks for software-properties-common at 0.96.24.3 or lower. + - Honor http_proxy= environment variables by default in the systemd + user session dirmngr service. LP: #1625848 + - Export GPG_AGENT_INFO in the systemd-environment-generator too. + + * Dropped changes: + - Removed user session upstart support. + - Removed gpg-agent.service changes, use Debian's environment generator instead. + - Patch to set GNUPGHOME for tests, fixed in debian/upstream. + + -- Dimitri John Ledkov Thu, 11 Jan 2018 13:33:17 +0000 + gnupg2 (2.2.4-1) unstable; urgency=medium * New upstream release @@ -462,6 +519,85 @@ -- Daniel Kahn Gillmor Wed, 31 Aug 2016 12:37:48 -0400 +gnupg2 (2.1.15-1ubuntu8) artful; urgency=medium + + * debian/patches/0005-set-gnupghome-for-tests.patch: + - set GNUPGHOME to a directory under the build directory as the + default value relies on $HOME which shouldn't be used during + the package build. LP: #1722939. + + -- Tiago Stürmer Daitx Wed, 11 Oct 2017 20:20:46 +0000 + +gnupg2 (2.1.15-1ubuntu7) zesty; urgency=medium + + * gpg-agent.conf: use XDG_RUNTIME_DIR for ssh-agent socket, in the + upstart user session job too. LP: #1675925. + + -- Dimitri John Ledkov Wed, 29 Mar 2017 16:15:15 +0100 + +gnupg2 (2.1.15-1ubuntu6) yakkety; urgency=medium + + * gpg-agent.service: use XDG_RUNTIME_DIR for ssh-agent socket, instead + of GNUPGHOME. LP: #1631320. + + -- Dimitri John Ledkov Fri, 07 Oct 2016 11:20:28 +0100 + +gnupg2 (2.1.15-1ubuntu5) yakkety; urgency=medium + + * gpg-agent.service: Properly escape "\$10" to avoid warning. (LP: #1615726) + + -- Martin Pitt Thu, 06 Oct 2016 23:10:50 +0200 + +gnupg2 (2.1.15-1ubuntu4) yakkety; urgency=medium + + * Honor http_proxy= environment variables by default, in the newly + generated dirmngr.conf files. Existing users behing proxies should set + honor-http-proxy in $GNUPGHOME/dirmngr.conf, see + /usr/share/gnupg/dirmngr-conf.skel. LP: #1625848 + + -- Dimitri John Ledkov Wed, 21 Sep 2016 02:23:54 +0100 + +gnupg2 (2.1.15-1ubuntu3) yakkety; urgency=medium + + * No-change rebuild for readline soname change. + + -- Matthias Klose Sat, 17 Sep 2016 12:02:46 +0000 + +gnupg2 (2.1.15-1ubuntu2) yakkety; urgency=medium + + * Add breaks for software-properties-common at 0.96.24.3 or lower. + + -- Dimitri John Ledkov Thu, 01 Sep 2016 11:34:12 +0100 + +gnupg2 (2.1.15-1ubuntu1) yakkety; urgency=medium + + * gnupg is now 2.1. LP: #1615039 + * Merge from Debian unstable, remaining changes: + - debian/systemd-user/gpg-agent.service: + - Set the environment variables in ExecStartPre - Post has a race + condition as other SSH agent providers can start up after ExecStart + finishes. The ExecStopPost commands are run in the case of failure, to + unset them. + - Be Before= gnome-keyring-ssh and ssh-agent - if someone has explicitly + asked for gpg-agent to be their SSH agent then we want to win. + - Set $SSH_AGENT_LAUNCHER so that we can avoid executing gpgconf in the + ExecStopPost. + - Ignore initctl failures - eventually this will go away. + - debian/upstart-user/: + - Add upstart user session jobs + - Add upstart override for the upstart user session jobs, when user + systemd is present + - debian/Xsession.d/90gpg-agent: + - Don't run if we have a systemd user instance. We want to phase out + the Xsession.d scripts, and use the systemd/upstart scripts so that + things also work under Mir. + - debian/gnupg2.udev: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + - udev rules to set ACLs on SCM smartcard readers. + + -- Dimitri John Ledkov Wed, 31 Aug 2016 13:35:55 +0100 + gnupg2 (2.1.15-1) unstable; urgency=medium * new upstream release @@ -629,6 +765,58 @@ -- Daniel Kahn Gillmor Mon, 28 Mar 2016 23:27:43 -0400 +gnupg2 (2.1.11-6ubuntu4) yakkety; urgency=medium + + * debian/user/gpg-agent.service: + - Set the environment variables in ExecStartPre - Post has a race + condition as other SSH agent providers can start up after ExecStart + finishes. The ExecStopPost commands are run in the case of failure, to + unset them. + - Be Before= gnome-keyring-ssh and ssh-agent - if someone has explicitly + asked for gpg-agent to be their SSH agent then we want to win. + - Set $SSH_AGENT_LAUNCHER so that we can avoid executing gpgconf in the + ExecStopPost. + - Ignore initctl failures - eventually this will go away. + + -- Iain Lane Thu, 04 Aug 2016 11:16:01 +0100 + +gnupg2 (2.1.11-6ubuntu3) yakkety; urgency=medium + + * debian/user/: Add systemd user unit and upstart override for gpg-agent. + * debian/gnupg-agent.xsession: Don't run if we have a systemd user instance. + We want to phase out the Xsession.d scripts, and use the systemd/upstart + scripts so that things also work under Mir. + + -- Martin Pitt Tue, 19 Jul 2016 17:35:01 +0200 + +gnupg2 (2.1.11-6ubuntu2) xenial; urgency=medium + + * Fix upstart user-session integration with new pinentry: + - restart gpg-agent, once dbus is started, such that agent has DBUS + session environemnt set and can connect to the pinentry-gnome3 Closes: + #790316 Closes: #795368 LP: #1566928 + - use gpgconf to launch/kill gpg-agent and to check settings + + -- Dimitri John Ledkov Fri, 08 Apr 2016 08:55:10 +0100 + +gnupg2 (2.1.11-6ubuntu1) xenial; urgency=medium + + * Adds support for --pinentry= argument for gpgme1.0 (LP: #1564234) + * Merge with debian, remaining changes: + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + - debian/gnupg2.udev: udev rules to set ACLs on SCM smartcard readers. + - Add upstart user job for gpg-agent. + * Dropped no longer applicable changes in merge: + - Drop sh prefix from openpgp test environment as it leads to exec + invocations of sh /bin/bash leading to syntax errors from sh. Fixes + FTBFS detected in Ubuntu saucy archive rebuild. + - debian/control: drop dirmngr to Suggests as it is in universe. + - gcc5-fix.patch: add upstream fix for an optimization issue when + compiling with gcc 5. + + -- Mario Limonciello Wed, 30 Mar 2016 23:20:09 -0500 + gnupg2 (2.1.11-6) unstable; urgency=medium * avoid FTBFS with patch from upstream (Closes: #814842) @@ -833,6 +1021,27 @@ -- Daniel Kahn Gillmor Wed, 29 Oct 2014 17:53:06 -0400 +gnupg2 (2.0.28-3ubuntu2) xenial; urgency=medium + + * debian/gcc5-fix.patch: add upstream fix for an optimization issue when + compiling with gcc 5. (LP: #1501634) + + -- Marc Deslauriers Tue, 09 Feb 2016 16:11:42 -0500 + +gnupg2 (2.0.28-3ubuntu1) wily; urgency=low + + * Merge from Debian, remaining changes: + - Drop sh prefix from openpgp test environment as it leads to exec + invocations of sh /bin/bash leading to syntax errors from sh. Fixes + FTBFS detected in Ubuntu saucy archive rebuild. + - Add udev rules to give gpg access to some smartcard readers; + Debian #543217. + - debian/gnupg2.udev: udev rules to set ACLs on SCM smartcard readers. + - Add upstart user job for gpg-agent. + - debian/control: drop dirmngr to Suggests as it is in universe. + + -- Iain Lane Mon, 13 Jul 2015 13:18:38 +0100 + gnupg2 (2.0.28-3) unstable; urgency=medium * pass DBUS_SESION_BUS_ADDRESS to the agent for gnome3. diff -Nru gnupg2-2.2.8/debian/control gnupg2-2.2.8/debian/control --- gnupg2-2.2.8/debian/control 2018-06-21 16:11:26.000000000 +0000 +++ gnupg2-2.2.8/debian/control 2018-09-04 00:43:20.000000000 +0000 @@ -1,7 +1,8 @@ Source: gnupg2 Section: utils Priority: optional -Maintainer: Debian GnuPG Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuPG Maintainers Uploaders: Eric Dorland , Daniel Kahn Gillmor , diff -Nru gnupg2-2.2.8/debian/patches/CVE-2018-1000858.patch gnupg2-2.2.8/debian/patches/CVE-2018-1000858.patch --- gnupg2-2.2.8/debian/patches/CVE-2018-1000858.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.8/debian/patches/CVE-2018-1000858.patch 2019-01-10 13:01:05.000000000 +0000 @@ -0,0 +1,712 @@ +From 4a4bb874f63741026bd26264c43bb32b1099f060 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Thu, 22 Nov 2018 22:27:56 +0100 +Subject: [PATCH] dirmngr: Avoid possible CSRF attacks via http redirects. + +* dirmngr/http.h (parsed_uri_s): Add fields off_host and off_path. +(http_redir_info_t): New. +* dirmngr/http.c (do_parse_uri): Set new fields. +(same_host_p): New. +(http_prepare_redirect): New. +* dirmngr/t-http-basic.c: New test. +* dirmngr/ks-engine-hkp.c (send_request): Use http_prepare_redirect +instead of the open code. +* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. +-- + +With this change a http query will not follow a redirect unless the +Location header gives the same host. If the host is different only +the host and port is taken from the Location header and the original +path and query parts are kept. + +Signed-off-by: Werner Koch +(cherry picked from commit fa1b1eaa4241ff3f0634c8bdf8591cbc7c464144) +--- + dirmngr/Makefile.am | 11 ++- + dirmngr/http.c | 171 +++++++++++++++++++++++++++++++++++++++- + dirmngr/http.h | 21 +++++ + dirmngr/ks-engine-hkp.c | 56 ++++--------- + dirmngr/ks-engine-http.c | 68 +++++----------- + dirmngr/t-http-basic.c | 199 +++++++++++++++++++++++++++++++++++++++++++++++ + dirmngr/t-http.c | 4 +- + 7 files changed, 435 insertions(+), 95 deletions(-) + create mode 100644 dirmngr/t-http-basic.c + +Index: gnupg2-2.2.8/dirmngr/Makefile.am +=================================================================== +--- gnupg2-2.2.8.orig/dirmngr/Makefile.am 2019-01-10 08:01:02.456656493 -0500 ++++ gnupg2-2.2.8/dirmngr/Makefile.am 2019-01-10 08:01:02.452656485 -0500 +@@ -120,7 +120,7 @@ t_common_ldadd = $(libcommon) $(LIBASSUA + $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) \ + $(DNSLIBS) $(LIBINTL) $(LIBICONV) + +-module_tests = ++module_tests = t-http-basic + + if USE_LDAP + module_tests += t-ldap-parse-uri +@@ -151,6 +151,15 @@ t_http_CFLAGS = -DWITHOUT_NPTH=1 $(USE + t_http_LDADD = $(t_common_ldadd) \ + $(NTBTLS_LIBS) $(KSBA_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS) + ++t_http_basic_SOURCES = $(t_common_src) t-http-basic.c http.c \ ++ dns-stuff.c http-common.c ++t_http_basic_CFLAGS = -DWITHOUT_NPTH=1 $(USE_C99_CFLAGS) \ ++ $(LIBGCRYPT_CFLAGS) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS) \ ++ $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS) $(KSBA_CFLAGS) ++t_http_basic_LDADD = $(t_common_ldadd) \ ++ $(NTBTLS_LIBS) $(KSBA_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS) ++ ++ + t_ldap_parse_uri_SOURCES = \ + t-ldap-parse-uri.c ldap-parse-uri.c ldap-parse-uri.h \ + http.c http-common.c dns-stuff.c \ +Index: gnupg2-2.2.8/dirmngr/http.c +=================================================================== +--- gnupg2-2.2.8.orig/dirmngr/http.c 2019-01-10 08:01:02.456656493 -0500 ++++ gnupg2-2.2.8/dirmngr/http.c 2019-01-10 08:01:02.452656485 -0500 +@@ -1347,6 +1347,8 @@ do_parse_uri (parsed_uri_t uri, int only + uri->v6lit = 0; + uri->onion = 0; + uri->explicit_port = 0; ++ uri->off_host = 0; ++ uri->off_path = 0; + + /* A quick validity check. */ + if (strspn (p, VALID_URI_CHARS) != n) +@@ -1390,7 +1392,19 @@ do_parse_uri (parsed_uri_t uri, int only + { + p += 2; + if ((p2 = strchr (p, '/'))) +- *p2++ = 0; ++ { ++ if (p2 - uri->buffer > 10000) ++ return GPG_ERR_BAD_URI; ++ uri->off_path = p2 - uri->buffer; ++ *p2++ = 0; ++ } ++ else ++ { ++ n = (p - uri->buffer) + strlen (p); ++ if (n > 10000) ++ return GPG_ERR_BAD_URI; ++ uri->off_path = n; ++ } + + /* Check for username/password encoding */ + if ((p3 = strchr (p, '@'))) +@@ -1409,11 +1423,19 @@ do_parse_uri (parsed_uri_t uri, int only + *p3++ = '\0'; + /* worst case, uri->host should have length 0, points to \0 */ + uri->host = p + 1; ++ if (p - uri->buffer > 10000) ++ return GPG_ERR_BAD_URI; ++ uri->off_host = (p + 1) - uri->buffer; + uri->v6lit = 1; + p = p3; + } + else +- uri->host = p; ++ { ++ uri->host = p; ++ if (p - uri->buffer > 10000) ++ return GPG_ERR_BAD_URI; ++ uri->off_host = p - uri->buffer; ++ } + + if ((p3 = strchr (p, ':'))) + { +@@ -3490,3 +3512,148 @@ uri_query_lookup (parsed_uri_t uri, cons + + return NULL; + } ++ ++ ++/* Return true if both URI point to the same host. */ ++static int ++same_host_p (parsed_uri_t a, parsed_uri_t b) ++{ ++ return a->host && b->host && !ascii_strcasecmp (a->host, b->host); ++} ++ ++ ++/* Prepare a new URL for a HTTP redirect. INFO has flags controlling ++ * the operaion, STATUS_CODE is used for diagnostics, LOCATION is the ++ * value of the "Location" header, and R_URL reveives the new URL on ++ * success or NULL or error. Note that INFO->ORIG_URL is ++ * required. */ ++gpg_error_t ++http_prepare_redirect (http_redir_info_t *info, unsigned int status_code, ++ const char *location, char **r_url) ++{ ++ gpg_error_t err; ++ parsed_uri_t locuri; ++ parsed_uri_t origuri; ++ char *newurl; ++ char *p; ++ ++ *r_url = NULL; ++ ++ if (!info || !info->orig_url) ++ return gpg_error (GPG_ERR_INV_ARG); ++ ++ if (!info->silent) ++ log_info (_("URL '%s' redirected to '%s' (%u)\n"), ++ info->orig_url, location? location:"[none]", status_code); ++ ++ if (!info->redirects_left) ++ { ++ if (!info->silent) ++ log_error (_("too many redirections\n")); ++ return gpg_error (GPG_ERR_NO_DATA); ++ } ++ info->redirects_left--; ++ ++ if (!location || !*location) ++ return gpg_error (GPG_ERR_NO_DATA); ++ ++ err = http_parse_uri (&locuri, location, 0); ++ if (err) ++ return err; ++ ++ /* Make sure that an onion address only redirects to another ++ * onion address, or that a https address only redirects to a ++ * https address. */ ++ if (info->orig_onion && !locuri->onion) ++ { ++ http_release_parsed_uri (locuri); ++ return gpg_error (GPG_ERR_FORBIDDEN); ++ } ++ if (!info->allow_downgrade && info->orig_https && !locuri->use_tls) ++ { ++ http_release_parsed_uri (locuri); ++ return gpg_error (GPG_ERR_FORBIDDEN); ++ } ++ ++ if (info->trust_location) ++ { ++ /* We trust the Location - return it verbatim. */ ++ http_release_parsed_uri (locuri); ++ newurl = xtrystrdup (location); ++ if (!newurl) ++ { ++ err = gpg_error_from_syserror (); ++ http_release_parsed_uri (locuri); ++ return err; ++ } ++ } ++ else if ((err = http_parse_uri (&origuri, info->orig_url, 0))) ++ { ++ http_release_parsed_uri (locuri); ++ return err; ++ } ++ else if (same_host_p (origuri, locuri)) ++ { ++ /* The host is the same and thus we can take the location ++ * verbatim. */ ++ http_release_parsed_uri (origuri); ++ http_release_parsed_uri (locuri); ++ newurl = xtrystrdup (location); ++ if (!newurl) ++ { ++ err = gpg_error_from_syserror (); ++ http_release_parsed_uri (locuri); ++ return err; ++ } ++ } ++ else ++ { ++ /* We take only the host and port from the URL given in the ++ * Location. This limits the effects of redirection attacks by ++ * rogue hosts returning an URL to servers in the client's own ++ * network. We don't even include the userinfo because they ++ * should be considered similar to the path and query parts. ++ */ ++ if (!(locuri->off_path - locuri->off_host)) ++ { ++ http_release_parsed_uri (origuri); ++ http_release_parsed_uri (locuri); ++ return gpg_error (GPG_ERR_BAD_URI); ++ } ++ if (!(origuri->off_path - origuri->off_host)) ++ { ++ http_release_parsed_uri (origuri); ++ http_release_parsed_uri (locuri); ++ return gpg_error (GPG_ERR_BAD_URI); ++ } ++ ++ newurl = xtrymalloc (strlen (origuri->original) ++ + (locuri->off_path - locuri->off_host) + 1); ++ if (!newurl) ++ { ++ err = gpg_error_from_syserror (); ++ http_release_parsed_uri (origuri); ++ http_release_parsed_uri (locuri); ++ return err; ++ } ++ /* Build new URL from ++ * uriguri: scheme userinfo ---- ---- path rest ++ * locuri: ------ -------- host port ---- ---- ++ */ ++ p = newurl; ++ memcpy (p, origuri->original, origuri->off_host); ++ p += origuri->off_host; ++ memcpy (p, locuri->original + locuri->off_host, ++ (locuri->off_path - locuri->off_host)); ++ p += locuri->off_path - locuri->off_host; ++ strcpy (p, origuri->original + origuri->off_path); ++ ++ http_release_parsed_uri (origuri); ++ http_release_parsed_uri (locuri); ++ if (!info->silent) ++ log_info (_("redirection changed to '%s'\n"), newurl); ++ } ++ ++ *r_url = newurl; ++ return 0; ++} +Index: gnupg2-2.2.8/dirmngr/http.h +=================================================================== +--- gnupg2-2.2.8.orig/dirmngr/http.h 2019-01-10 08:01:02.456656493 -0500 ++++ gnupg2-2.2.8/dirmngr/http.h 2019-01-10 08:01:02.452656485 -0500 +@@ -58,6 +58,8 @@ struct parsed_uri_s + char *auth; /* username/password for basic auth. */ + char *host; /* Host (converted to lowercase). */ + unsigned short port; /* Port (always set if the host is set). */ ++ unsigned short off_host; /* Offset to the HOST respective PATH parts */ ++ unsigned short off_path; /* in the original URI buffer. */ + char *path; /* Path. */ + uri_tuple_t params; /* ";xxxxx" */ + uri_tuple_t query; /* "?xxx=yyy" */ +@@ -100,6 +102,21 @@ typedef struct http_session_s *http_sess + struct http_context_s; + typedef struct http_context_s *http_t; + ++/* An object used to track redirection infos. */ ++struct http_redir_info_s ++{ ++ unsigned int redirects_left; /* Number of still possible redirects. */ ++ const char *orig_url; /* The original requested URL. */ ++ unsigned int orig_onion:1; /* Original request was an onion address. */ ++ unsigned int orig_https:1; /* Original request was a http address. */ ++ unsigned int silent:1; /* No diagnostics. */ ++ unsigned int allow_downgrade:1;/* Allow a downgrade from https to http. */ ++ unsigned int trust_location:1; /* Trust the received Location header. */ ++}; ++typedef struct http_redir_info_s http_redir_info_t; ++ ++ ++ + /* A TLS verify callback function. */ + typedef gpg_error_t (*http_verify_cb_t) (void *opaque, + http_t http, +@@ -176,5 +193,9 @@ gpg_error_t http_verify_server_credentia + char *http_escape_string (const char *string, const char *specials); + char *http_escape_data (const void *data, size_t datalen, const char *specials); + ++gpg_error_t http_prepare_redirect (http_redir_info_t *info, ++ unsigned int status_code, ++ const char *location, char **r_url); ++ + + #endif /*GNUPG_COMMON_HTTP_H*/ +Index: gnupg2-2.2.8/dirmngr/ks-engine-hkp.c +=================================================================== +--- gnupg2-2.2.8.orig/dirmngr/ks-engine-hkp.c 2019-01-10 08:01:02.456656493 -0500 ++++ gnupg2-2.2.8/dirmngr/ks-engine-hkp.c 2019-01-10 08:01:02.452656485 -0500 +@@ -1154,18 +1154,21 @@ send_request (ctrl_t ctrl, const char *r + gpg_error_t err; + http_session_t session = NULL; + http_t http = NULL; +- int redirects_left = MAX_REDIRECTS; ++ http_redir_info_t redirinfo = { MAX_REDIRECTS }; + estream_t fp = NULL; + char *request_buffer = NULL; + parsed_uri_t uri = NULL; +- int is_onion; + + *r_fp = NULL; + + err = http_parse_uri (&uri, request, 0); + if (err) + goto leave; +- is_onion = uri->onion; ++ redirinfo.orig_url = request; ++ redirinfo.orig_onion = uri->onion; ++ redirinfo.allow_downgrade = 1; ++ /* FIXME: I am not sure whey we allow a downgrade for hkp requests. ++ * Needs at least an explanation here.. */ + + err = http_session_new (&session, httphost, + ((ctrl->http_no_crl? HTTP_FLAG_NO_CRL : 0) +@@ -1246,45 +1249,18 @@ send_request (ctrl_t ctrl, const char *r + case 302: + case 307: + { +- const char *s = http_get_header (http, "Location"); +- +- log_info (_("URL '%s' redirected to '%s' (%u)\n"), +- request, s?s:"[none]", http_get_status_code (http)); +- if (s && *s && redirects_left-- ) +- { +- if (is_onion) +- { +- /* Make sure that an onion address only redirects to +- * another onion address. */ +- http_release_parsed_uri (uri); +- uri = NULL; +- err = http_parse_uri (&uri, s, 0); +- if (err) +- goto leave; +- +- if (! uri->onion) +- { +- err = gpg_error (GPG_ERR_FORBIDDEN); +- goto leave; +- } +- } +- +- xfree (request_buffer); +- request_buffer = xtrystrdup (s); +- if (request_buffer) +- { +- request = request_buffer; +- http_close (http, 0); +- http = NULL; +- goto once_more; +- } +- err = gpg_error_from_syserror (); +- } +- else +- err = gpg_error (GPG_ERR_NO_DATA); +- log_error (_("too many redirections\n")); ++ xfree (request_buffer); ++ err = http_prepare_redirect (&redirinfo, http_get_status_code (http), ++ http_get_header (http, "Location"), ++ &request_buffer); ++ if (err) ++ goto leave; ++ ++ request = request_buffer; ++ http_close (http, 0); ++ http = NULL; + } +- goto leave; ++ goto once_more; + + case 501: + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +Index: gnupg2-2.2.8/dirmngr/ks-engine-http.c +=================================================================== +--- gnupg2-2.2.8.orig/dirmngr/ks-engine-http.c 2019-01-10 08:01:02.456656493 -0500 ++++ gnupg2-2.2.8/dirmngr/ks-engine-http.c 2019-01-10 08:01:02.452656485 -0500 +@@ -74,17 +74,18 @@ ks_http_fetch (ctrl_t ctrl, const char * + http_session_t session = NULL; + unsigned int session_flags; + http_t http = NULL; +- int redirects_left = MAX_REDIRECTS; ++ http_redir_info_t redirinfo = { MAX_REDIRECTS }; + estream_t fp = NULL; + char *request_buffer = NULL; + parsed_uri_t uri = NULL; +- int is_onion, is_https; + + err = http_parse_uri (&uri, url, 0); + if (err) + goto leave; +- is_onion = uri->onion; +- is_https = uri->use_tls; ++ redirinfo.orig_url = url; ++ redirinfo.orig_onion = uri->onion; ++ redirinfo.orig_https = uri->use_tls; ++ redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE); + + /* By default we only use the system provided certificates with this + * fetch command. */ +@@ -158,53 +159,20 @@ ks_http_fetch (ctrl_t ctrl, const char * + case 302: + case 307: + { +- const char *s = http_get_header (http, "Location"); +- +- log_info (_("URL '%s' redirected to '%s' (%u)\n"), +- url, s?s:"[none]", http_get_status_code (http)); +- if (s && *s && redirects_left-- ) +- { +- if (is_onion || is_https) +- { +- /* Make sure that an onion address only redirects to +- * another onion address, or that a https address +- * only redirects to a https address. */ +- http_release_parsed_uri (uri); +- uri = NULL; +- err = http_parse_uri (&uri, s, 0); +- if (err) +- goto leave; +- +- if (is_onion && !uri->onion) +- { +- err = gpg_error (GPG_ERR_FORBIDDEN); +- goto leave; +- } +- if (!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE) +- && is_https && !uri->use_tls) +- { +- err = gpg_error (GPG_ERR_FORBIDDEN); +- goto leave; +- } +- } +- +- xfree (request_buffer); +- request_buffer = xtrystrdup (s); +- if (request_buffer) +- { +- url = request_buffer; +- http_close (http, 0); +- http = NULL; +- http_session_release (session); +- goto once_more; +- } +- err = gpg_error_from_syserror (); +- } +- else +- err = gpg_error (GPG_ERR_NO_DATA); +- log_error (_("too many redirections\n")); ++ xfree (request_buffer); ++ err = http_prepare_redirect (&redirinfo, http_get_status_code (http), ++ http_get_header (http, "Location"), ++ &request_buffer); ++ if (err) ++ goto leave; ++ ++ url = request_buffer; ++ http_close (http, 0); ++ http = NULL; ++ http_session_release (session); ++ session = NULL; + } +- goto leave; ++ goto once_more; + + default: + log_error (_("error accessing '%s': http status %u\n"), +Index: gnupg2-2.2.8/dirmngr/t-http-basic.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ gnupg2-2.2.8/dirmngr/t-http-basic.c 2019-01-10 08:01:02.452656485 -0500 +@@ -0,0 +1,199 @@ ++/* t-http-basic.c - Basic regression tests for http.c ++ * Copyright (C) 2018 g10 Code GmbH ++ * ++ * This file is part of GnuPG. ++ * ++ * GnuPG is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GnuPG is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, see . ++ * SPDX-License-Identifier: GPL-3.0-or-later ++ */ ++ ++#include ++#include ++ ++#include "../common/util.h" ++#include "t-support.h" ++#include "http.h" ++ ++#define PGM "t-http-basic" ++ ++ ++static void ++test_http_prepare_redirect (void) ++{ ++ static struct { ++ const char *url; ++ const char *location; ++ const char *expect_url; ++ gpg_error_t expect_err; ++ } tests[] = { ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ NULL, ++ "", ++ GPG_ERR_NO_DATA ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "", ++ "", ++ GPG_ERR_NO_DATA ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "foo//bla", ++ "", ++ GPG_ERR_BAD_URI ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://foo.gnupg.org:8080/.not-so-well-known/openpgpkey/hu/12345678", ++ "http://foo.gnupg.org:8080/.well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http:///.no-so-well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ GPG_ERR_BAD_URI ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org:8080/.not-so-well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org:8080/.not-so-well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org:8/.not-so-well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org:8/.not-so-well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org:/.no-so-well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org:/.no-so-well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/", ++ "http://gnupg.org/", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.net", ++ "http://gnupg.net/.well-known/openpgpkey/hu/12345678", ++ 0 ++ }, ++ { ++ "http://gnupg.org", ++ "http://gnupg.org", ++ "http://gnupg.org", ++ 0 ++ }, ++ { ++ "http://gnupg.org", ++ "http://foo.gnupg.org", ++ "http://foo.gnupg.org", ++ 0 ++ }, ++ { ++ "http://gnupg.org/", ++ "http://foo.gnupg.org", ++ "http://foo.gnupg.org/", ++ 0 ++ }, ++ { ++ "http://gnupg.org", ++ "http://foo.gnupg.org/", ++ "http://foo.gnupg.org", ++ 0 ++ }, ++ { ++ "http://gnupg.org/.well-known/openpgpkey/hu/12345678", ++ "http://gnupg.org/something-else", ++ "http://gnupg.org/something-else", ++ 0 ++ }, ++ }; ++ int tidx; ++ http_redir_info_t ri; ++ gpg_error_t err; ++ char *newurl; ++ ++ err = http_prepare_redirect (NULL, 301, tests[0].location, &newurl); ++ if (gpg_err_code (err) != GPG_ERR_INV_ARG) ++ fail (0); ++ memset (&ri, 0, sizeof ri); ++ err = http_prepare_redirect (&ri, 301, tests[0].location, &newurl); ++ if (gpg_err_code (err) != GPG_ERR_INV_ARG) ++ fail (0); ++ memset (&ri, 0, sizeof ri); ++ ri.silent = 1; ++ ri.orig_url = "http://example.org"; ++ err = http_prepare_redirect (&ri, 301, tests[0].location, &newurl); ++ if (gpg_err_code (err) != GPG_ERR_NO_DATA) ++ fail (0); ++ ++ for (tidx = 0; tidx < DIM (tests); tidx++) ++ { ++ memset (&ri, 0, sizeof ri); ++ ri.silent = 1; ++ ri.redirects_left = 1; ++ ri.orig_url = tests[tidx].url; ++ ++ err = http_prepare_redirect (&ri, 301, tests[tidx].location, &newurl); ++ if (err && newurl) ++ fail (tidx); ++ if (err && gpg_err_code (err) != tests[tidx].expect_err) ++ fail (tidx); ++ if (err) ++ continue; ++ if (!newurl) ++ fail (tidx); ++ if (strcmp (tests[tidx].expect_url, newurl)) ++ { ++ fprintf (stderr, "want: '%s'\n", tests[tidx].expect_url); ++ fprintf (stderr, "got : '%s'\n", newurl); ++ fail (tidx); ++ } ++ ++ xfree (newurl); ++ } ++} ++ ++ ++int ++main (int argc, char **argv) ++{ ++ (void)argc; ++ (void)argv; ++ ++ test_http_prepare_redirect (); ++ ++ return 0; ++} +Index: gnupg2-2.2.8/dirmngr/t-http.c +=================================================================== +--- gnupg2-2.2.8.orig/dirmngr/t-http.c 2019-01-10 08:01:02.456656493 -0500 ++++ gnupg2-2.2.8/dirmngr/t-http.c 2019-01-10 08:01:02.452656485 -0500 +@@ -394,9 +394,9 @@ main (int argc, char **argv) + else + { + printf ("Auth : %s\n", uri->auth? uri->auth:"[none]"); +- printf ("Host : %s\n", uri->host); ++ printf ("Host : %s (off=%hu)\n", uri->host, uri->off_host); + printf ("Port : %u\n", uri->port); +- printf ("Path : %s\n", uri->path); ++ printf ("Path : %s (off=%hu)\n", uri->path, uri->off_path); + for (r = uri->params; r; r = r->next) + { + printf ("Params: %s", r->name); diff -Nru gnupg2-2.2.8/debian/patches/dirmngr-honor-http-proxy.patch gnupg2-2.2.8/debian/patches/dirmngr-honor-http-proxy.patch --- gnupg2-2.2.8/debian/patches/dirmngr-honor-http-proxy.patch 1970-01-01 00:00:00.000000000 +0000 +++ gnupg2-2.2.8/debian/patches/dirmngr-honor-http-proxy.patch 2018-09-04 00:43:20.000000000 +0000 @@ -0,0 +1,18 @@ +Description: Honor http_proxy= environment variables by default + In the newly generated dirmngr.conf files only. Existing users behing + proxies should set honor-http-proxy in $GNUPGHOME/dirmngr.conf, + see /usr/share/gnupg/dirmngr-conf.skel. +Author: Dimitri John Ledkov +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1625848 + +Index: gnupg2-2.2.4/doc/examples/systemd-user/dirmngr.service +=================================================================== +--- gnupg2-2.2.4.orig/doc/examples/systemd-user/dirmngr.service ++++ gnupg2-2.2.4/doc/examples/systemd-user/dirmngr.service +@@ -4,5 +4,5 @@ Documentation=man:dirmngr(8) + Requires=dirmngr.socket + + [Service] +-ExecStart=/usr/bin/dirmngr --supervised ++ExecStart=/usr/bin/dirmngr --supervised --honor-http-proxy + ExecReload=/usr/bin/gpgconf --reload dirmngr diff -Nru gnupg2-2.2.8/debian/patches/series gnupg2-2.2.8/debian/patches/series --- gnupg2-2.2.8/debian/patches/series 2018-06-20 14:30:38.000000000 +0000 +++ gnupg2-2.2.8/debian/patches/series 2019-01-10 13:01:01.000000000 +0000 @@ -26,3 +26,5 @@ gpg-Add-new-usage-option-for-drop-subkey-filters.patch gpg-Do-not-import-revocations-with-show-keys.patch show-revocation-cert/gpg-Print-revocation-certificate-details-when-showing-wit.patch +dirmngr-honor-http-proxy.patch +CVE-2018-1000858.patch diff -Nru gnupg2-2.2.8/debian/systemd-environment-generator/90gpg-agent gnupg2-2.2.8/debian/systemd-environment-generator/90gpg-agent --- gnupg2-2.2.8/debian/systemd-environment-generator/90gpg-agent 2018-06-20 14:30:38.000000000 +0000 +++ gnupg2-2.2.8/debian/systemd-environment-generator/90gpg-agent 2018-09-04 00:43:20.000000000 +0000 @@ -3,6 +3,8 @@ # Author: rufo # See https://bugs.debian.org/855868 +agent_sock=$(gpgconf --list-dirs agent-socket) +export GPG_AGENT_INFO=${agent_sock}:0:1 if [ -n "$(gpgconf --list-options gpg-agent | \ awk -F: '/^enable-ssh-support:/{ print $10 }')" ]; then echo SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)