svn commit: r472003 - head/security/gnupg

Adam Weinberger adamw at FreeBSD.org
Fri Jun 8 14:18:21 UTC 2018


Author: adamw
Date: Fri Jun  8 14:18:19 2018
New Revision: 472003
URL: https://svnweb.freebsd.org/changeset/ports/472003

Log:
  Update gnupg to 2.2.8 (security release)
  
  CVE-2018-12020:
  The OpenPGP protocol allows to include the file name of the original
  input file into a signed or encrypted message.  During decryption and
  verification the GPG tool can display a notice with that file name.  The
  displayed file name is not sanitized and as such may include line feeds
  or other control characters.  This can be used inject terminal control
  sequences into the out and, worse, to fake the so-called status
  messages.  These status messages are parsed by programs to get
  information from gpg about the validity of a signature and an other
  parameters.  Status messages are created with the option "--status-fd N"
  where N is a file descriptor.  Now if N is 2 the status messages and the
  regular diagnostic messages share the stderr output channel.  By using a
  made up file name in the message it is possible to fake status messages.
  Using this technique it is for example possible to fake the verification
  status of a signed mail.
  
  Also:
    * gpg: Decryption of messages not using the MDC mode will now lead
      to a hard failure even if a legacy cipher algorithm was used.  The
      option --ignore-mdc-error can be used to turn this failure into a
      warning.  Take care: Never use that option unconditionally or
      without a prior warning.
  
    * gpg: The MDC encryption mode is now always used regardless of the
      cipher algorithm or any preferences.  For testing --rfc2440 can be
      used to create a message without an MDC.
  
    * gpg: Sanitize the diagnostic output of the original file name in
      verbose mode.  [#4012,CVE-2018-12020]
  
    * gpg: Detect suspicious multiple plaintext packets in a more
      reliable way.  [#4000]
  
    * gpg: Fix the duplicate key signature detection code.  [#3994]
  
    * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
      --disable-mdc and --no-disable-mdc have no more effect.
  
    * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
      list of startup environment variables.  [#3947]
  
  MFH:		2018Q2
  Security:	CVE-2018-12020

Modified:
  head/security/gnupg/Makefile
  head/security/gnupg/distinfo

Modified: head/security/gnupg/Makefile
==============================================================================
--- head/security/gnupg/Makefile	Fri Jun  8 14:16:30 2018	(r472002)
+++ head/security/gnupg/Makefile	Fri Jun  8 14:18:19 2018	(r472003)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	gnupg
-PORTVERSION=	2.2.7
+PORTVERSION=	2.2.8
 CATEGORIES=	security
 MASTER_SITES=	GNUPG
 

Modified: head/security/gnupg/distinfo
==============================================================================
--- head/security/gnupg/distinfo	Fri Jun  8 14:16:30 2018	(r472002)
+++ head/security/gnupg/distinfo	Fri Jun  8 14:18:19 2018	(r472003)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1525435894
-SHA256 (gnupg-2.2.7.tar.bz2) = d95b361ee6ef7eff86af40c8c72bf9313736ac9f7010d6604d78bf83818e976e
-SIZE (gnupg-2.2.7.tar.bz2) = 6631100
+TIMESTAMP = 1528466286
+SHA256 (gnupg-2.2.8.tar.bz2) = 777b4cb8ced21965a5053d4fa20fe11484f0a478f3d011cef508a1a49db50dcd
+SIZE (gnupg-2.2.8.tar.bz2) = 6632465


More information about the svn-ports-head mailing list