ports/109992: ports/security/gnupg1 -> 1.4.7

Jason Harris jharris at widomaker.com
Tue Mar 6 13:50:06 UTC 2007 

>Number:         109992
>Category:       ports
>Synopsis:       ports/security/gnupg1 -> 1.4.7
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 06 13:50:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Jason Harris
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
N/A
>Environment:
System: FreeBSD 6.2-STABLE i386

>Description:
	Update ports/security/gnupg1 to 1.4.7 to work around a possible
	security hole.  From ./NEWS:

          * By default, do not allow processing multiple plaintexts in a
            single stream.  Many programs that called GnuPG were assuming
            that GnuPG did not permit this, and were thus not using the
            plaintext boundary status tags that GnuPG provides.  This change
            makes GnuPG reject such messages by default which makes those
            programs safe again.  --allow-multiple-messages returns to the
            old behavior.

>How-To-Repeat:
	Apply patch below.
	NB:  "cvs rm files/patch-configure"
>Fix:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

cvs server: Diffing .
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/Makefile,v
retrieving revision 1.92
diff -u -r1.92 Makefile
--- Makefile	25 Dec 2006 03:48:59 -0000	1.92
+++ Makefile	6 Mar 2007 13:37:00 -0000
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	gnupg
-PORTVERSION=	1.4.6
-PORTREVISION=	3
+PORTVERSION=	1.4.7
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	gnupg
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/distinfo,v
retrieving revision 1.39
diff -u -r1.39 distinfo
--- distinfo	9 Dec 2006 08:36:47 -0000	1.39
+++ distinfo	6 Mar 2007 13:37:00 -0000
@@ -1,6 +1,15 @@
-MD5 (gnupg-1.4.6.tar.bz2) = ec8dc6df1bd83c1d7e1a1ea10653f9f4
-SHA256 (gnupg-1.4.6.tar.bz2) = fd5a72418e55669b88076c2a6f11c3a59bf92a2071008567e65ae12b7372008e
-SIZE (gnupg-1.4.6.tar.bz2) = 3149454
-MD5 (gnupg-1.4.6.tar.bz2.sig) = 8b905292140d60fe493fab7d5b22c96d
-SHA256 (gnupg-1.4.6.tar.bz2.sig) = fb9294762932b34f2fd5a4b168f4c3a248aa7403c2aed8bffa5f67274b1b052d
-SIZE (gnupg-1.4.6.tar.bz2.sig) = 158
+MD5 (gnupg-1.4.7.tar.bz2) = b06a141cca5cd1a55bbdd25ab833303c
+SHA1 (gnupg-1.4.7.tar.bz2) = 22149105845c79068771837c8deb7d5ba0854927
+RMD160 (gnupg-1.4.7.tar.bz2) = 630344c99834cf9adcf806d55e6f609a1e50bd8b
+SHA256 (gnupg-1.4.7.tar.bz2) = 69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d
+SIZE (gnupg-1.4.7.tar.bz2) = 3200642
+MD5 (gnupg-1.4.7.tar.bz2.sig) = 5430887043170806eb93f018e4236972
+SHA1 (gnupg-1.4.7.tar.bz2.sig) = a6db75da64c4e23b687147aa7d01f2085b2cf861
+RMD160 (gnupg-1.4.7.tar.bz2.sig) = 102323c28a41a7a2fcc479fc06ba98137e037baa
+SHA256 (gnupg-1.4.7.tar.bz2.sig) = e730e980840d3b97220e4393539de67c7647d9e9eac9d22f11f24ba7e874c18c
+SIZE (gnupg-1.4.7.tar.bz2.sig) = 158
+MD5 (gnupg-1.4.7.tar.bz2.sig) = 5430887043170806eb93f018e4236972
+SHA1 (gnupg-1.4.7.tar.bz2.sig) = a6db75da64c4e23b687147aa7d01f2085b2cf861
+RMD160 (gnupg-1.4.7.tar.bz2.sig) = 102323c28a41a7a2fcc479fc06ba98137e037baa
+SHA256 (gnupg-1.4.7.tar.bz2.sig) = e730e980840d3b97220e4393539de67c7647d9e9eac9d22f11f24ba7e874c18c
+SIZE (gnupg-1.4.7.tar.bz2.sig) = 158
cvs server: Diffing files
Index: files/patch-configure
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/files/Attic/patch-configure,v
retrieving revision 1.5
diff -u -r1.5 patch-configure
--- files/patch-configure	9 Dec 2006 08:36:48 -0000	1.5
+++ files/patch-configure	6 Mar 2007 13:37:01 -0000
@@ -1,10 +0,0 @@
---- configure.orig	Fri Dec  8 17:02:30 2006
-+++ configure	Fri Dec  8 17:02:52 2006
-@@ -27251,6 +27251,7 @@
- exec_prefix=$exec_prefix
- libdir=$libdir
- libexecdir=$libexecdir
-+datarootdir=$datarootdir
- datadir=$datadir
- DATADIRNAME=$DATADIRNAME
- 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iJ0EARECAF0FAkXtbrhWGGh0dHA6Ly9rZXlzZXJ2ZXIua2pzbC5jb206MTEzNzEv
cGtzL2xvb2t1cD9vcD1nZXQmc2VhcmNoPTB4RDM5REEwRTMmd2VoYXZleW91bm93
PXRydWUACgkQSypIl9OdoONZUACfd2ARkTa8DfHpv5KBB9ChsjS4+2MAnRtnE+Pp
Si4VLT2w5MWdacZlJz02
=0fyV
-----END PGP SIGNATURE-----
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list