[1/2] gnupg: CVE-2013-4351

Submitted by jackie huang on March 26, 2014, 8:32 a.m.

Details

Message ID f7bb5746bd55de4d8018f18efddaca97af58e7a1.1395822606.git.jackie.huang@windriver.com
State Accepted
Commit 259aebc9dbcaeb1587aaaab849942f55fa321724
Headers show

Commit Message

jackie huang March 26, 2014, 8:32 a.m.
From: Ming Liu <ming.liu@windriver.com>

GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits
cleared (no usage permitted) as if it has all bits set (all usage permitted),
which might allow remote attackers to bypass intended cryptographic protection
mechanisms by leveraging the subkey.

Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../gnupg/gnupg-1.4.7/CVE-2013-4351.patch          |   44 ++++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_1.4.7.bb          |    4 +-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
new file mode 100644
index 0000000..b29ede4
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
@@ -0,0 +1,44 @@ 
+Upstream-Status: Backport
+
+Index: gnupg-1.4.7/g10/getkey.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/getkey.c	2007-03-05 16:54:41.000000000 +0800
++++ gnupg-1.4.7/g10/getkey.c	2013-11-28 14:41:59.640212240 +0800
+@@ -1454,7 +1454,11 @@
+ 
+       if(flags)
+ 	key_usage |= PUBKEY_USAGE_UNKNOWN;
++      if (!key_usage)
++	key_usage |= PUBKEY_USAGE_NONE;
+     }
++  else if (p)
++    key_usage |= PUBKEY_USAGE_NONE;
+ 
+   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
+      capability that we do not handle.  This serves to distinguish
+Index: gnupg-1.4.7/g10/keygen.c
+===================================================================
+--- gnupg-1.4.7.orig/g10/keygen.c	2007-02-05 00:27:40.000000000 +0800
++++ gnupg-1.4.7/g10/keygen.c	2013-11-28 14:43:05.016670092 +0800
+@@ -209,9 +209,6 @@
+     if (use & PUBKEY_USAGE_AUTH)
+         buf[0] |= 0x20;
+ 
+-    if (!buf[0]) 
+-        return;
+-
+     build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
+ }
+ 
+Index: gnupg-1.4.7/include/cipher.h
+===================================================================
+--- gnupg-1.4.7.orig/include/cipher.h	2006-04-21 20:39:49.000000000 +0800
++++ gnupg-1.4.7/include/cipher.h	2013-11-28 14:49:24.159322744 +0800
+@@ -52,6 +52,7 @@
+ #define PUBKEY_USAGE_CERT    4      /* key is also good to certify other keys*/
+ #define PUBKEY_USAGE_AUTH    8      /* key is good for authentication */
+ #define PUBKEY_USAGE_UNKNOWN 128    /* key has an unknown usage bit */
++#define PUBKEY_USAGE_NONE    256    /* No usage given. */
+ 
+ #define DIGEST_ALGO_MD5       1
+ #define DIGEST_ALGO_SHA1      2
diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
index fcc5fba..83d8fab 100644
--- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb
@@ -14,7 +14,9 @@  SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \
            file://configure.patch \
            file://mips_gcc4.4.patch \
            file://GnuPG1-CVE-2012-6085.patch \
-           file://curl_typeof_fix_backport.patch"
+           file://curl_typeof_fix_backport.patch \
+           file://CVE-2013-4351.patch \
+	  "
 
 SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c"
 SRC_URI[sha256sum] = "69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d"