rpms/gnupg2/FC-4 gnupg-1.9.22-CVE-2006-6169.patch, NONE, 1.1 gnupg2.spec, 1.21, 1.22

Fri Dec 1 14:41:19 UTC 2006

Author: rdieter

Update of /cvs/extras/rpms/gnupg2/FC-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13740

Modified Files:
	gnupg2.spec 
Added Files:
	gnupg-1.9.22-CVE-2006-6169.patch 
Log Message:
* Fri Dec 01 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-8
- CVE-2006-6169 (bug #217950) 
- --disable-optmization on 64bit archs


gnupg-1.9.22-CVE-2006-6169.patch:

--- NEW FILE gnupg-1.9.22-CVE-2006-6169.patch ---
--- gnupg-1.9.22/g10/openfile.c.CVE-2006-6169	2006-06-20 11:33:00.000000000 -0500
+++ gnupg-1.9.22/g10/openfile.c	2006-12-01 08:36:19.000000000 -0600
@@ -145,8 +145,8 @@
 
     s = _("Enter new filename");
 
-    n = strlen(s) + namelen + 10;
     defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
+    n = strlen(s) + (defname?strlen (defname):0) + 10;
     prompt = xmalloc(n);
     if( defname )
 	sprintf(prompt, "%s [%s]: ", s, defname );


Index: gnupg2.spec
===================================================================
RCS file: /cvs/extras/rpms/gnupg2/FC-4/gnupg2.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- gnupg2.spec	18 Sep 2006 13:51:29 -0000	1.21
+++ gnupg2.spec	1 Dec 2006 14:40:49 -0000	1.22
@@ -6,35 +6,24 @@
 %define kde_scriptdir %{_prefix}
 %endif
 
-# define _enable_gpg to build/include gnupg2 binary, currently disabled because:
-# * currently doesn't build
-# * has security issue (CVE-2006-3082)
-# * upstream devs say "You shall not build the gpg part.  There is a reason why it is not
-#   enabled by default"
-#define _enable_gpg --enable-gpg
-
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 1.9.22
-Release: 6%{?dist}
+Release: 8%{?dist}
 
 License: GPL
 Group:   Applications/System
-#Source0: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-%{version}.tar.bz2
-#Source1: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-%{version}.tar.bz2.sig
-#use mirror(s), since the primary site hardly ever works anymore
-Source0: http://mirrors.rootmode.com/ftp.gnupg.org/alpha/gnupg/gnupg-%{version}.tar.bz2
-Source1: http://mirrors.rootmode.com/ftp.gnupg.org/alpha/gnupg/gnupg-%{version}.tar.bz2.sig
+Source0: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-%{version}.tar.bz2
+Source1: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-%{version}.tar.bz2.sig
 URL:     http://www.gnupg.org/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-# omit broken x86_64 build 
-# ExcludeArch: x86_64 
 
 # enable auto-startup/shutdown of gpg-agent
 Source10: gpg-agent-startup.sh
 Source11: gpg-agent-shutdown.sh
 
-Patch2: gnupg-1.9.16-testverbose.patch
+Patch2:   gnupg-1.9.16-testverbose.patch
+Patch100: gnupg-1.9.22-CVE-2006-6169.patch
 
 Obsoletes: newpg < 0.9.5
 
@@ -85,7 +74,8 @@
 %prep
 %setup -q -n gnupg-%{version}
 
-%patch2 -p1 -b .testverbose
+%patch2   -p1 -b .testverbose
+%patch100 -p1 -b .CVE-2006-6169
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@@ -104,6 +94,9 @@
 %configure \
   --disable-rpath \
   --disable-dependency-tracking \
+%if "%{_lib}" == "lib64"
+  --disable-optimization \
+%endif
   %{?_enable_gpg}
 
 make %{?_smp_mflags}
@@ -172,6 +165,10 @@
 
 
 %changelog
+* Fri Dec 01 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-8
+- CVE-2006-6169 (bug #217950) 
+- --disable-optmization on 64bit archs
+
 * Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-7
 - gpg-agent-startup.sh: fix case where valid .gpg-agent-info exists
 


