svn commit: r547501 - in branches/2020Q3/security/gnupg: . files

Adam Weinberger adamw at FreeBSD.org
Fri Sep 4 02:20:43 UTC 2020


Author: adamw
Date: Fri Sep  4 02:20:42 2020
New Revision: 547501
URL: https://svnweb.freebsd.org/changeset/ports/547501

Log:
  MFH: r541749 r546681 r547499
  
  Approved by:	portmgr (with hat)
  
  gnupg: Update to 2.2.21
  
   * gpg: Improve symmetric decryption speed by about 25%.
     See commit 144b95cc9d.
  
   * gpg: Support decryption of AEAD encrypted data packets.
  
   * gpg: Add option --no-include-key-block. [#4856]
  
   * gpg: Allow for extra padding in ECDH.  [#4908]
  
   * gpg: Only a single pinentry is shown for symmetric encryption if
     the pinentry supports this.  [#4971]
  
   * gpg: Print a note if no keys are given to --delete-key.  [#4959]
  
   * gpg,gpgsm: The ridiculous passphrase quality bar is not anymore
     shown.  [#2103]
  
   * gpgsm: Certificates without a CRL distribution point are now
     considered valid without looking up a CRL.  The new option
     --enable-issuer-based-crl-check can be used to revert to the
     former behaviour.
  
   * gpgsm: Support rsaPSS signature verification.  [#4538]
  
   * gpgsm: Unless CRL checking is disabled lookup a missing issuer
     certificate using the certificate's authorityInfoAccess.  [#4898]
  
   * gpgsm: Print the certificate's serial number also in decimal
     notation.
  
   * gpgsm: Fix possible NULL-deref in messages of --gen-key.  [#4895]
  
   * scd: Support the CardOS 5 based D-Trust Card 3.1.
  
   * dirmngr: Allow http URLs with "LOOKUP --url".
  
   * wkd: Take name of sendmail from configure.  Fixes an OpenBSD
     specific bug.  [#4886]
  
   Release-info: https://dev.gnupg.org/T4897
  
  security/gnupg: Update to 2.2.22
  
  Also, sort plist. The new gpgsplit binary is getting installed as
  gpgsplit2 to avoid a conflict with security/gnupg1.
  
  Noteworthy changes in version 2.2.22
  ====================================
  
    * gpg: Change the default key algorithm to rsa3072.
  
    * gpg: Add regular expression support for Trust Signatures on all
      platforms.  [#4843]
  
    * gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat
      option.  [#4991]
  
    * gpg: Ignore --personal-digest-prefs for ECDSA keys.  [#5021]
  
    * gpgsm: Make rsaPSS a de-vs compliant scheme.
  
    * gpgsm: Show also the SHA256 fingerprint in key listings.
  
    * gpgsm: Do not require a default keyring for --gpgconf-list.  [#4867]
  
    * gpg-agent: Default to extended key format and record the creation
      time of keys.  Add new option --disable-extended-key-format.
  
    * gpg-agent: Support the WAYLAND_DISPLAY envvar.  [#5016]
  
    * gpg-agent: Allow using --gpgconf-list even if HOME does not
      exist.  [#4866]
  
    * gpg-agent: Make the Pinentry work even if the envvar TERM is set
      to the empty string.  [#4137]
  
    * scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly
      incremented the error counter when using the "verify" command of
      "gpg --edit-key" with only the signature key being present.
  
    * dirmngr: Better handle systems with disabled IPv6.  [#4977]
  
    * gpgpslit: Install tool.  It was not installed in the past to avoid
      conflicts with the version installed by GnuPG 1.4.  [#5023]
      (We're installing it as gpgsplit2 to avoid conflict with security/gnupg1)
  
    * gpgtar: Handle Unicode file names on Windows correctly (requires
      libgpg-error 1.39).  [#4083]
  
    * gpgtar: Make --files-from and --null work as documented.  [#5027]
  
    * Build the Windows installer with the new Ntbtls 0.2.0 so that TLS
      connections succeed for servers demanding GCM.
  
    Release-info: https://dev.gnupg.org/T5030
  
  security/gnupg: Update to 2.2.23
  
  Importing an OpenPGP key having a preference list for AEAD algorithms
  will lead to an array overflow and thus often to a crash or other
  undefined behaviour.
  
  Importing an arbitrary key can often easily be triggered by an attacker
  and thus triggering this bug.  Exploiting the bug aside from crashes is
  not trivial but likely possible for a dedicated attacker.  The major
  hurdle for an attacker is that only every second byte is under their
  control with every first byte having a fixed value of 0x04.
  
  Software distribution verification should not be affected by this bug
  because such a system uses a curated list of keys.
  
  Security:	CVE-2020-25125

Added:
  branches/2020Q3/security/gnupg/files/patch-doc_Makefile.in
     - copied unchanged from r541749, head/security/gnupg/files/patch-doc_Makefile.in
Modified:
  branches/2020Q3/security/gnupg/Makefile
  branches/2020Q3/security/gnupg/distinfo
  branches/2020Q3/security/gnupg/pkg-plist
Directory Properties:
  branches/2020Q3/   (props changed)

Modified: branches/2020Q3/security/gnupg/Makefile
==============================================================================
--- branches/2020Q3/security/gnupg/Makefile	Fri Sep  4 02:13:17 2020	(r547500)
+++ branches/2020Q3/security/gnupg/Makefile	Fri Sep  4 02:20:42 2020	(r547501)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	gnupg
-PORTVERSION=	2.2.20
+PORTVERSION=	2.2.23
 CATEGORIES=	security
 MASTER_SITES=	GNUPG
 
@@ -31,6 +31,7 @@ CONFIGURE_ARGS=	--disable-ntbtls --enable-gpg-is-gpg2 
 GNU_CONFIGURE=	yes
 INFO=		gnupg
 TEST_TARGET=	check
+TEST_ARGS=	TESTARGS=--parallel
 
 SUB_FILES=	pkg-message
 
@@ -66,6 +67,7 @@ pre-build:
 	@${TOUCH} ${WRKSRC}/doc/*.texi
 
 post-install:
-	@${MV} ${STAGEDIR}${DATADIR}/help*.txt ${STAGEDIR}${DOCSDIR}
+	${MV} ${STAGEDIR}${PREFIX}/bin/gpgsplit ${STAGEDIR}${PREFIX}/bin/gpgsplit2
+	${MV} ${STAGEDIR}${DATADIR}/help*.txt ${STAGEDIR}${DOCSDIR}
 
 .include <bsd.port.mk>

Modified: branches/2020Q3/security/gnupg/distinfo
==============================================================================
--- branches/2020Q3/security/gnupg/distinfo	Fri Sep  4 02:13:17 2020	(r547500)
+++ branches/2020Q3/security/gnupg/distinfo	Fri Sep  4 02:20:42 2020	(r547501)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1584729314
-SHA256 (gnupg-2.2.20.tar.bz2) = 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30
-SIZE (gnupg-2.2.20.tar.bz2) = 6786913
+TIMESTAMP = 1599184354
+SHA256 (gnupg-2.2.23.tar.bz2) = 10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c
+SIZE (gnupg-2.2.23.tar.bz2) = 7099806

Copied: branches/2020Q3/security/gnupg/files/patch-doc_Makefile.in (from r541749, head/security/gnupg/files/patch-doc_Makefile.in)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q3/security/gnupg/files/patch-doc_Makefile.in	Fri Sep  4 02:20:42 2020	(r547501, copy of r541749, head/security/gnupg/files/patch-doc_Makefile.in)
@@ -0,0 +1,16 @@
+This works around a breakage introduced in 2.2.21.
+Hopefully the patch can be removed for 2.2.22.
+
+--- doc/Makefile.in.orig	2020-07-09 13:22:35 UTC
++++ doc/Makefile.in
+@@ -1235,8 +1235,8 @@ defsincdate: $(gnupg_TEXINFOS)
+ 	if test -e $(top_srcdir)/.git; then \
+ 	  (cd $(srcdir) && git log -1 --format='%ct' \
+                -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+-        elif test x"$SOURCE_DATE_EPOCH" != x; then   \
+-	   echo "$SOURCE_DATE_EPOCH" >>defsincdate ; \
++        elif test x"$$SOURCE_DATE_EPOCH" != x; then   \
++	   echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \
+ 	fi
+ 
+ defs.inc : defsincdate Makefile mkdefsinc

Modified: branches/2020Q3/security/gnupg/pkg-plist
==============================================================================
--- branches/2020Q3/security/gnupg/pkg-plist	Fri Sep  4 02:13:17 2020	(r547500)
+++ branches/2020Q3/security/gnupg/pkg-plist	Fri Sep  4 02:20:42 2020	(r547501)
@@ -1,17 +1,18 @@
 bin/dirmngr
 bin/dirmngr-client
-bin/gpg-connect-agent
 bin/gpg-agent
-bin/gpgscm
-bin/gpgsm
-bin/gpgtar
+bin/gpg-connect-agent
 %%WKS_SERVER%%bin/gpg-wks-server
-bin/kbxutil
 %%SUID_GPG%%@(,,4555) bin/gpg2
 %%NO_SUID_GPG%%bin/gpg2
 bin/gpgconf
 bin/gpgparsemail
+bin/gpgscm
+bin/gpgsm
+bin/gpgsplit2
+bin/gpgtar
 bin/gpgv2
+bin/kbxutil
 bin/symcryptrun
 bin/watchgnupg
 %%LDAP%%libexec/dirmngr_ldap


More information about the svn-ports-all mailing list