...
 
Commits (25)
gnupg2 (2.1.18-8~deb8u3) UNRELEASED; urgency=medium
* backport to Debian jessie by the LTS security team to support Enigmail
upgrade
* remove the gnupg-l10n package, not present in jessie
* keep the gpg2 package naming scheme present in jessie to avoid
replacing the legacy 1.4 package still present there
* remove Breaks relations with packages that would be affected by the
above replacement
* gpg-static, gpgv-udeb and gpgv-win32 not shipped either for the same
reason
* requires the following source package backports: libgpg-error, npth,
libgcrypt20, libassuan, or more precisely:
1) libassuan-dev [2.4.3-2~bpo8+1 (jessie-backports)]
2) libassuan0 [2.4.3-2~bpo8+1 (jessie-backports)]
3) libgcrypt20-dev [1.7.6-1~bpo8+1 (jessie-backports)]
4) libgpg-error-dev [1.26-2~bpo8+1 (jessie-backports)]
5) libksba-dev [1.3.5-2~bpo8+1 (jessie-backports)]
6) libksba8 [1.3.5-2~bpo8+1 (jessie-backports)]
7) libnpth0 [1.3-1~bpo8+1 (jessie-backports)]
8) libnpth0-dev [1.3-1~bpo8+1 (jessie-backports)]
9) libgcrypt20 [1.6.3-2+deb8u5 (now, oldstable) -> 1.7.6-1~bpo8+1 (jessie-backports)]
10) libgpg-error0 [1.17-3 (now, oldstable) -> 1.26-2~bpo8+1 (jessie-backports)]
-- Antoine Beaupré <anarcat@debian.org> Mon, 12 Nov 2018 14:13:24 -0500
gnupg2 (2.1.18-8~deb9u3) stretch; urgency=medium
* block trivial access to scdaemon memory (Closes: #878952)
* Update crypto defaults for 2018 (new keys are RSA 3072, prefer AES256)
* d/control: move Vcs*: to salsa
* dirmngr: implement querying nameservers over IPv6 (Closes: #862682)
* use DEP-14 branch naming
* refresh patches
* backport --no-symkey-cache
* backport improved import and export filtering
* backport display of revocation certificates
* backport stripping unusable subkey material during export-minimal
* backport fix to make --dry-run work when listing secret keys
* backport fix showing secret keys when listing keys
* backport fix to clean keys before importing (Closes: #906545)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 05 Oct 2018 15:43:38 -0500
gnupg2 (2.1.18-8~deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* gpg: Sanitize diagnostic with the original file name (CVE-2018-12020)
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 08 Jun 2018 20:12:24 +0200
gnupg2 (2.1.18-8~deb9u1) stretch; urgency=medium
* Bugfix update for debian stretch point release.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Sep 2017 16:41:12 -0400
gnupg2 (2.1.18-8) unstable; urgency=medium
* updated scdaemon fix from gniibe (Closes: #862032)
......
......@@ -32,17 +32,8 @@ Build-Depends:
texinfo,
transfig,
zlib1g-dev | libz-dev,
Build-Depends-Indep:
binutils-multiarch [!amd64 !i386],
libassuan-mingw-w64-dev,
libgcrypt-mingw-w64-dev,
libgpg-error-mingw-w64-dev,
libksba-mingw-w64-dev,
libnpth-mingw-w64-dev,
libz-mingw-w64-dev,
mingw-w64,
Vcs-Git: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git
Vcs-Browser: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git
Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/stretch
Vcs-Browser: https://salsa.debian.org/debian/gnupg2
Homepage: https://www.gnupg.org/
Package: gnupg-agent
......@@ -53,7 +44,7 @@ Depends:
${misc:Depends},
${shlibs:Depends},
Recommends:
gnupg (= ${binary:Version}) | gpgsm,
gnupg2 (= ${binary:Version}) | gpgsm,
Suggests:
dbus-user-session,
libpam-systemd,
......@@ -113,7 +104,7 @@ Description: GNU privacy guard - S/MIME version
digital encryption and signing services on X.509 certificates and the
CMS protocol. gpgsm includes complete certificate management.
Package: gnupg
Package: gnupg2
Architecture: any
Multi-Arch: foreign
Depends:
......@@ -128,21 +119,10 @@ Suggests:
parcimonie,
xloadimage,
Breaks:
debsig-verify (<< 0.15),
dirmngr (<< ${binary:Version}),
gnupg2 (<< 2.1.11-7+exp1),
libgnupg-interface-perl (<< 0.52-3),
libgnupg-perl (<= 0.19-1),
libmail-gnupg-perl (<= 0.22-1),
monkeysphere (<< 0.38~),
php-crypt-gpg (<= 1.4.1-1),
python-apt (<= 1.1.0~beta4),
python-gnupg (<< 0.3.8-3),
python3-apt (<= 1.1.0~beta4),
Replaces:
gnupg2 (<< 2.1.11-7+exp1),
Provides:
gpg,
Description: GNU privacy guard - a free PGP replacement
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
......@@ -152,24 +132,7 @@ Description: GNU privacy guard - a free PGP replacement
This package contains /usr/bin/gpg and some helper utilities like
gpgconf and kbxutil.
Package: gnupg2
Architecture: all
Section: oldlibs
Priority: extra
Multi-Arch: foreign
Depends:
gnupg (>= ${source:Version}),
${misc:Depends},
Description: GNU privacy guard - a free PGP replacement (dummy transitional package)
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
It includes an advanced key management facility and is compliant
with the proposed OpenPGP Internet standard as described in RFC4880.
.
This is a dummy transitional package that provides symlinks from gpg2
to gpg.
Package: gpgv
Package: gpgv2
Architecture: any
Priority: important
Multi-Arch: foreign
......@@ -179,12 +142,9 @@ Depends:
Breaks:
gnupg2 (<< 2.0.21-2),
gpgv2 (<< 2.1.11-7+exp1),
python-debian (<< 0.1.29),
Replaces:
gnupg2 (<< 2.0.21-2),
gpgv2 (<< 2.1.11-7+exp1),
Suggests:
gnupg,
Description: GNU privacy guard - signature verification tool
GnuPG is GNU's tool for secure communication and data storage.
.
......@@ -194,22 +154,6 @@ Description: GNU privacy guard - signature verification tool
used to make the signature are valid. There are no configuration
files and only a few options are implemented.
Package: gpgv2
Section: oldlibs
Priority: extra
Architecture: all
Multi-Arch: foreign
Depends:
gpgv (>= ${source:Version}),
${misc:Depends},
Description: GNU privacy guard - signature verification tool (dummy transitional package)
GnuPG is GNU's tool for secure communication and data storage. gpgv
is a stripped-down version of gpg which is only able to check
signatures.
.
This is a dummy transitional package that provides symlinks from gpgv2
to gpgv.
Package: dirmngr
Architecture: any
Depends:
......@@ -218,10 +162,9 @@ Depends:
${misc:Depends},
${shlibs:Depends},
Recommends:
gnupg (= ${binary:Version}),
gnupg2 (= ${binary:Version}),
${shlibs:Recommends},
Enhances:
gnupg,
gpgsm,
squid,
Breaks:
......@@ -244,86 +187,3 @@ Description: GNU privacy guard - network certificate management service
.
dirmngr is used for network access by gpg, gpgsm, and dirmngr-client,
among other tools.
Package: gpgv-udeb
Package-Type: udeb
Section: debian-installer
Priority: extra
Architecture: any
Depends:
${misc:Depends},
${shlibs:Depends},
Description: minimal signature verification tool
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
It includes an advanced key management facility and is compliant
with the proposed OpenPGP Internet standard as described in RFC 4880.
.
This is GnuPG's signature verification tool, gpgv, packaged in minimal
form for use in debian-installer.
Package: gpgv-static
Priority: extra
Architecture: any
Depends:
${misc:Depends},
${shlibs:Depends},
Recommends:
debian-archive-keyring,
debootstrap,
Description: minimal signature verification tool (static build)
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
It includes an advanced key management facility and is compliant
with the proposed OpenPGP Internet standard as described in RFC 4880.
.
This is GnuPG's signature verification tool, gpgv, built statically
so that it can be directly used on any platform that is running on
the Linux kernel. Android and ChromeOS are two well known examples,
but there are many other platforms that this will work for, like
embedded Linux OSes. This gpgv in combination with debootstrap and
the Debian archive keyring allows the secure creation of chroot
installs on these platforms by using the full Debian signature
verification that is present in all official Debian mirrors.
Package: gpgv-win32
Architecture: all
Priority: extra
Multi-Arch: foreign
Depends:
${misc:Depends},
Suggests:
wine,
Description: GNU privacy guard - signature verification tool (win32 build)
GnuPG is GNU's tool for secure communication and data storage.
.
gpgv is a stripped-down version of gnupg which is only able to check
signatures. It is smaller than the full-blown gnupg and uses a
different (and simpler) way to check that the public keys used to
make the signature are trustworthy.
.
This is a win32 version of gpgv. It's meant to be used by the win32-loader
component of Debian-Installer.
Package: gnupg-l10n
Architecture: all
Priority: extra
Multi-Arch: foreign
Depends:
${misc:Depends},
Enhances:
gnupg,
Breaks:
gnupg (<< 2.1.14-2~),
gnupg2 (<< 2.1.14-2~),
Replaces:
gnupg (<< 2.1.14-2~),
gnupg2 (<< 2.1.14-2~),
Description: GNU privacy guard - localization files
GnuPG is GNU's tool for secure communication and data storage.
It can be used to encrypt data and to create digital signatures.
It includes an advanced key management facility and is compliant
with the proposed OpenPGP Internet standard as described in RFC 4880.
.
This package contains the translation files for the use of GnuPG in
non-English locales.
debian/tmp/usr/bin/dirmngr
debian/tmp/usr/bin/dirmngr-client
debian/tmp/usr/lib/gnupg/dirmngr_ldap
debian/tmp/usr/lib/gnupg2/dirmngr_ldap
debian/tmp/usr/share/gnupg/sks-keyservers.netCA.pem
doc/examples/systemd-user/dirmngr.service usr/lib/systemd/user
doc/examples/systemd-user/dirmngr.socket usr/lib/systemd/user
[DEFAULT]
pristine-tar = True
upstream-vcs-tag = gnupg-%(version)s
debian-branch = debian/stretch
[buildpackage]
compression = bzip2
[import-orig]
filter = [
......@@ -31,3 +35,6 @@ filter = [
'po/stamp-po',
]
filter-pristine-tar = False
[pq]
abbrev = 9
......@@ -3,9 +3,9 @@ debian/systemd-user/gpg-agent-browser.socket usr/lib/systemd/user
debian/tmp/usr/bin/gpg-agent
debian/tmp/usr/bin/gpg-connect-agent
debian/tmp/usr/bin/symcryptrun
debian/tmp/usr/lib/gnupg/gpg-check-pattern
debian/tmp/usr/lib/gnupg/gpg-preset-passphrase
debian/tmp/usr/lib/gnupg/gpg-protect-tool
debian/tmp/usr/lib/gnupg2/gpg-check-pattern
debian/tmp/usr/lib/gnupg2/gpg-preset-passphrase
debian/tmp/usr/lib/gnupg2/gpg-protect-tool
doc/examples/systemd-user/gpg-agent-extra.socket usr/lib/systemd/user
doc/examples/systemd-user/gpg-agent-ssh.socket usr/lib/systemd/user
doc/examples/systemd-user/gpg-agent.service usr/lib/systemd/user
......
debian/tmp/usr/share/gnupg/help.*.txt
debian/tmp/usr/share/locale
build/tools/gpg-zip usr/bin
build/tools/gpgsplit usr/bin
tools/gpg2-zip usr/bin
tools/gpg2split usr/bin
debian/migrate-pubring-from-classic-gpg usr/bin
debian/tmp/usr/bin/gpg
debian/tmp/usr/bin/gpg2
debian/tmp/usr/bin/gpgconf
debian/tmp/usr/bin/gpgparsemail
debian/tmp/usr/bin/kbxutil
......@@ -9,4 +9,4 @@ debian/tmp/usr/bin/watchgnupg
debian/tmp/usr/sbin/addgnupghome
debian/tmp/usr/sbin/applygnupgdefaults
debian/tmp/usr/share/gnupg/distsigkey.gpg
tools/lspgpot usr/bin
tools/lspgpot2 usr/bin
usr/bin/gpg usr/bin/gpg2
usr/share/man/man1/gpg.1.gz usr/share/man/man1/gpg2.1.gz
debian/gpg-zip.1
debian/gpgsplit.1
debian/gpg2-zip.1
debian/gpg2split.1
debian/kbxutil.1
debian/lspgpot.1
debian/lspgpot2.1
debian/migrate-pubring-from-classic-gpg.1
debian/tmp/usr/share/man/man1/gpg.1
debian/tmp/usr/share/man/man1/gpg2.1
debian/tmp/usr/share/man/man1/gpgconf.1
debian/tmp/usr/share/man/man1/gpgparsemail.1
debian/tmp/usr/share/man/man1/watchgnupg.1
......
.TH GPGV-STATIC "1" "November 2016" "GnuPG" "Gnu Privacy Guard 2.1"
.SH NAME
gpgv-static - Verify OpenPGP signatures (static build)
.SH SYNOPSIS
.B gpgv-static [\fIoptions\fP] \fIsigned_files\fP
.SH DESCRIPTION
\fBgpgv\fR is an OpenPGP signature verification tool.
\fBgpgv-static\fR is \fBgpgv\fR built statically so that it can be
directly used on any platform that is running on the Linux kernel,
such as Android, ChromeOS, or many embedded Linux systems.
This version of \fBgpgv\fR in combination with \fBdebootstrap\fR and
the Debian archive keyring allows the secure creation of chroot
installs on these platforms by using the full Debian signature
verification that is present in all official Debian mirrors.
You may wish to re-name the binary to plain \fBgpgv\fR when
transferring it into such a platform to create a chroot.
Please read the documentation for \fBgpgv\fR for more details.
.SH SEE ALSO
\fBgpg\fR(1)
.SH AUTHOR
This manual page was written by Daniel Kahn Gillmor
<dkg@fifthhorseman.net> for the Debian project, but may be used by
others under the same license as GnuPG itself.
build-gpgv-static/g10/gpgv-static usr/bin/
# gpgv-static is deliberately built statically. We cannot avoid
# embedding zlib.
gpgv-static: embedded-library usr/bin/gpgv-static: zlib
build-gpgv-udeb/g10/gpgv usr/bin/
build-gpgv-win32/g10/gpgv.exe usr/share/win32
debian/tmp/usr/bin/gpgv
debian/tmp/usr/share/man/man1/gpgv.1
debian/tmp/usr/bin/gpgv2
usr/bin/gpgv usr/bin/gpgv2
usr/share/man/man1/gpgv.1.gz usr/share/man/man1/gpgv2.1.gz
debian/tmp/usr/share/man/man1/gpgv2.1
From: "Neal H. Walfield" <neal@g10code.com>
Date: Thu, 2 Feb 2017 13:24:57 +0100
Subject: gpg: Only print out TOFU statistics for conflicts in interactive mode
Subject: gpg: Only print out TOFU statistics for conflicts in interactive
mode
* g10/tofu.c (get_trust): Add arguments POLICYP and CONFLICT_SETP. If
they are not NULL, return the policy and conflict set (if there is
......
......@@ -20,7 +20,7 @@ Additionally, fix another bug when tested with 2.1.18-7 with PC/SC.
5 files changed, 102 insertions(+), 45 deletions(-)
diff --git a/scd/app-common.h b/scd/app-common.h
index b979f54..c7a0575 100644
index b979f5476..c7a057521 100644
--- a/scd/app-common.h
+++ b/scd/app-common.h
@@ -54,6 +54,7 @@ struct app_ctx_s {
......@@ -41,7 +41,7 @@ index b979f54..c7a0575 100644
gpg_error_t app_write_learn_status (app_t app, ctrl_t ctrl,
unsigned int flags);
diff --git a/scd/app.c b/scd/app.c
index 8fb0d45..3f3f3ef 100644
index 8fb0d4553..3f3f3ef84 100644
--- a/scd/app.c
+++ b/scd/app.c
@@ -136,40 +136,32 @@ check_application_conflict (const char *name, app_t app)
......@@ -204,7 +204,7 @@ index 8fb0d45..3f3f3ef 100644
npth_mutex_unlock (&app_list_lock);
}
diff --git a/scd/command.c b/scd/command.c
index 0ae6d29..b17c4a1 100644
index 0ae6d29aa..b17c4a109 100644
--- a/scd/command.c
+++ b/scd/command.c
@@ -227,7 +227,7 @@ open_card_with_request (ctrl_t ctrl, const char *apptype, const char *serialno)
......@@ -235,10 +235,10 @@ index 0ae6d29..b17c4a1 100644
if (!sl->event_signal || !sl->assuan_ctx)
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 74fed44..02f0e72 100644
index 4d011c4c9..dda9ab445 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -52,6 +52,7 @@
@@ -55,6 +55,7 @@
#include "ccid-driver.h"
#include "gc-opt-flags.h"
#include "asshelp.h"
......@@ -246,7 +246,7 @@ index 74fed44..02f0e72 100644
#include "../common/init.h"
#ifndef ENAMETOOLONG
@@ -224,7 +225,8 @@ static assuan_sock_nonce_t socket_nonce;
@@ -227,7 +228,8 @@ static assuan_sock_nonce_t socket_nonce;
disabled but it won't perform any ticker specific actions. */
static int ticker_disabled;
......@@ -256,7 +256,7 @@ index 74fed44..02f0e72 100644
static char *create_socket_name (char *standard_name);
static gnupg_fd_t create_server_socket (const char *name,
@@ -1181,6 +1183,16 @@ start_connection_thread (void *arg)
@@ -1190,6 +1192,16 @@ start_connection_thread (void *arg)
}
......@@ -273,7 +273,7 @@ index 74fed44..02f0e72 100644
/* Connection handler loop. Wait for connection requests and spawn a
thread after accepting a connection. LISTEN_FD is allowed to be -1
in which case this code will only do regular timeouts and handle
@@ -1202,9 +1214,23 @@ handle_connections (int listen_fd)
@@ -1211,9 +1223,23 @@ handle_connections (int listen_fd)
#ifndef HAVE_W32_SYSTEM
int signo;
#endif
......@@ -298,7 +298,7 @@ index 74fed44..02f0e72 100644
npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
#ifndef HAVE_W32_SYSTEM
@@ -1233,6 +1259,8 @@ handle_connections (int listen_fd)
@@ -1242,6 +1268,8 @@ handle_connections (int listen_fd)
for (;;)
{
......@@ -307,7 +307,7 @@ index 74fed44..02f0e72 100644
if (shutdown_pending)
{
if (active_connections == 0)
@@ -1261,14 +1289,20 @@ handle_connections (int listen_fd)
@@ -1270,14 +1298,20 @@ handle_connections (int listen_fd)
thus a simple assignment is fine to copy the entire set. */
read_fdset = fdset;
......@@ -330,7 +330,7 @@ index 74fed44..02f0e72 100644
saved_errno = errno;
#endif
@@ -1284,6 +1318,13 @@ handle_connections (int listen_fd)
@@ -1293,6 +1327,13 @@ handle_connections (int listen_fd)
/* Timeout. Will be handled when calculating the next timeout. */
continue;
......@@ -344,7 +344,7 @@ index 74fed44..02f0e72 100644
if (listen_fd != -1 && FD_ISSET (listen_fd, &read_fdset))
{
ctrl_t ctrl;
@@ -1322,6 +1363,8 @@ handle_connections (int listen_fd)
@@ -1331,6 +1372,8 @@ handle_connections (int listen_fd)
}
}
......@@ -354,7 +354,7 @@ index 74fed44..02f0e72 100644
log_info (_("%s %s stopped\n"), strusage(11), strusage(13));
npth_attr_destroy (&tattr);
diff --git a/scd/scdaemon.h b/scd/scdaemon.h
index d0bc98e..fcab648 100644
index d0bc98efe..fcab6489f 100644
--- a/scd/scdaemon.h
+++ b/scd/scdaemon.h
@@ -125,6 +125,7 @@ void send_status_info (ctrl_t ctrl, const char *keyword, ...)
......
......@@ -48,7 +48,7 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index f9039ae..e280c22 100644
index f9039ae09..e280c2249 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -728,9 +728,9 @@ static ARGPARSE_OPTS opts[] = {
......
......@@ -58,7 +58,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
create mode 100755 tests/openpgp/issue2941.scm
diff --git a/common/logging.c b/common/logging.c
index 8c70742..ac13053 100644
index 8c70742cc..ac130535c 100644
--- a/common/logging.c
+++ b/common/logging.c
@@ -570,6 +570,9 @@ log_set_file (const char *name)
......@@ -72,7 +72,7 @@ index 8c70742..ac13053 100644
}
diff --git a/common/sysutils.c b/common/sysutils.c
index e67420f..a796677 100644
index e67420f18..a796677ba 100644
--- a/common/sysutils.c
+++ b/common/sysutils.c
@@ -1281,3 +1281,14 @@ gnupg_get_socket_name (int fd)
......@@ -91,7 +91,7 @@ index e67420f..a796677 100644
+ return 1;
+}
diff --git a/common/sysutils.h b/common/sysutils.h
index a9316d7..ecd9f84 100644
index a9316d7ce..ecd9f846e 100644
--- a/common/sysutils.h
+++ b/common/sysutils.h
@@ -72,6 +72,7 @@ int gnupg_setenv (const char *name, const char *value, int overwrite);
......@@ -103,7 +103,7 @@ index a9316d7..ecd9f84 100644
gpg_error_t gnupg_inotify_watch_socket (int *r_fd, const char *socket_name);
int gnupg_inotify_has_name (int fd, const char *name);
diff --git a/g10/cpr.c b/g10/cpr.c
index 0133cad..4984e89 100644
index 0133cad31..4984e8903 100644
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -107,6 +107,9 @@ set_status_fd (int fd)
......@@ -117,7 +117,7 @@ index 0133cad..4984e89 100644
statusfp = es_stdout;
else if (fd == 2)
diff --git a/g10/gpg.c b/g10/gpg.c
index e280c22..66a2055 100644
index e280c2249..66a2055b5 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -3079,6 +3079,8 @@ main (int argc, char **argv)
......@@ -140,7 +140,7 @@ index e280c22..66a2055 100644
{
if (i >= len-1 )
diff --git a/g10/keylist.c b/g10/keylist.c
index 4fe1e40..abdcb9f 100644
index 4fe1e4034..abdcb9f0a 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1900,6 +1900,9 @@ set_attrib_fd (int fd)
......@@ -154,7 +154,7 @@ index 4fe1e40..abdcb9f 100644
setmode (fd, O_BINARY);
#endif
diff --git a/g10/passphrase.c b/g10/passphrase.c
index fb4ec4c..37abc0f 100644
index fb4ec4c85..37abc0f1c 100644
--- a/g10/passphrase.c
+++ b/g10/passphrase.c
@@ -166,6 +166,9 @@ read_passphrase_from_fd( int fd )
......@@ -168,7 +168,7 @@ index fb4ec4c..37abc0f 100644
{ /* Not used but we have to do a dummy read, so that it won't end
up at the begin of the message if the quite usual trick to
diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
index 05341fb..377a2ed 100644
index 05341fbfd..377a2edc3 100644
--- a/tests/openpgp/Makefile.am
+++ b/tests/openpgp/Makefile.am
@@ -95,12 +95,12 @@ XTESTS = \
......@@ -188,7 +188,7 @@ index 05341fb..377a2ed 100644
# the 'check' target. For extra robustness, we merely define a
diff --git a/tests/openpgp/issue2941.scm b/tests/openpgp/issue2941.scm
new file mode 100755
index 0000000..d7220e0
index 000000000..d7220e098
--- /dev/null
+++ b/tests/openpgp/issue2941.scm
@@ -0,0 +1,34 @@
......
......@@ -23,7 +23,7 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
1 file changed, 1 insertion(+)
diff --git a/common/logging.c b/common/logging.c
index ac13053..670affb 100644
index ac130535c..670affb12 100644
--- a/common/logging.c
+++ b/common/logging.c
@@ -61,6 +61,7 @@
......
......@@ -20,7 +20,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/g10/sign.c b/g10/sign.c
index acc894c..ff099b3 100644
index acc894c49..ff099b31c 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -686,7 +686,10 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash,
......
......@@ -13,7 +13,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index 66a2055..0c5a167 100644
index 66a2055b5..0c5a1677c 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -4894,8 +4894,12 @@ main (int argc, char **argv)
......
......@@ -21,7 +21,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index 180fd65..a0d9659 100644
index 180fd65c2..a0d965969 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -2163,8 +2163,11 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
......
......@@ -14,7 +14,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 52f011a..bc2e071 100644
index 52f011a00..bc2e071f8 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -498,12 +498,10 @@ libdns_init (void)
......
......@@ -25,7 +25,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
create mode 100644 tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
diff --git a/g10/export.c b/g10/export.c
index f354ca0..8668126 100644
index f354ca0f6..86681264d 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -2208,6 +2208,48 @@ export_ssh_key (ctrl_t ctrl, const char *userid)
......@@ -78,7 +78,7 @@ index f354ca0..8668126 100644
if (!latest_key)
diff --git a/tests/openpgp/samplekeys/README b/tests/openpgp/samplekeys/README
index 29524d5..6f2399f 100644
index 29524d512..6f2399fd9 100644
--- a/tests/openpgp/samplekeys/README
+++ b/tests/openpgp/samplekeys/README
@@ -17,3 +17,5 @@ E657FB607BB4F21C90BB6651BC067AF28BC90111.asc Key with subkeys (no protection)
......@@ -89,7 +89,7 @@ index 29524d5..6f2399f 100644
+rsa-primary-auth-only.sec.asc Ditto but the secret keyblock.
diff --git a/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc b/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
new file mode 100644
index 0000000..f34999e
index 000000000..f34999e92
--- /dev/null
+++ b/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
@@ -0,0 +1,23 @@
......@@ -118,7 +118,7 @@ index 0000000..f34999e
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc b/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
new file mode 100644
index 0000000..9d72421
index 000000000..9d72421d0
--- /dev/null
+++ b/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
@@ -0,0 +1,38 @@
......
......@@ -14,7 +14,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index be8b083..32db4bc 100644
index be8b08333..32db4bc69 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -320,10 +320,17 @@ add_host (const char *name, int is_pool,
......
......@@ -11,7 +11,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/g10/gpgv.c b/g10/gpgv.c
index bd16b39..ca8fca4 100644
index bd16b3907..ca8fca423 100644
--- a/g10/gpgv.c
+++ b/g10/gpgv.c
@@ -194,7 +194,9 @@ main( int argc, char **argv )
......
......@@ -14,7 +14,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 5 insertions(+)
diff --git a/g10/gpg.c b/g10/gpg.c
index 0c5a167..09bdf66 100644
index 0c5a1677c..09bdf66ba 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -1845,6 +1845,7 @@ gpgconf_list (const char *configfile)
......@@ -26,7 +26,7 @@ index 0c5a167..09bdf66 100644
/* The next one is an info only item and should match the macros at
the top of keygen.c */
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index a0d9659..cdd2586 100644
index a0d965969..cdd2586b7 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -716,6 +716,10 @@ static gc_option_t gc_options_gpg[] =
......
......@@ -14,7 +14,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 3 insertions(+)
diff --git a/g10/gpg.c b/g10/gpg.c
index 09bdf66..2a4a0ad 100644
index 09bdf66ba..2a4a0addf 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -1840,6 +1840,7 @@ gpgconf_list (const char *configfile)
......@@ -26,7 +26,7 @@ index 09bdf66..2a4a0ad 100644
es_printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT);
es_printf ("group:%lu:\n", GC_OPT_FLAG_NONE);
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index cdd2586..530c128 100644
index cdd2586b7..530c1287f 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -747,6 +747,8 @@ static gc_option_t gc_options_gpg[] =
......
......@@ -19,7 +19,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
4 files changed, 34 insertions(+), 83 deletions(-)
diff --git a/common/sexputil.c b/common/sexputil.c
index 0c5c730..a8dc1a5 100644
index 0c5c730ac..a8dc1a58c 100644
--- a/common/sexputil.c
+++ b/common/sexputil.c
@@ -512,53 +512,6 @@ get_rsa_pk_from_canon_sexp (const unsigned char *keydata, size_t keydatalen,
......@@ -99,7 +99,7 @@ index 0c5c730..a8dc1a5 100644
+ return algo;
+}
diff --git a/common/util.h b/common/util.h
index f7a53e1..b6d7156 100644
index f7a53e160..b6d715630 100644
--- a/common/util.h
+++ b/common/util.h
@@ -195,10 +195,10 @@ gpg_error_t get_rsa_pk_from_canon_sexp (const unsigned char *keydata,
......@@ -117,7 +117,7 @@ index f7a53e1..b6d7156 100644
/*-- convert.c --*/
int hex2bin (const char *string, void *buffer, size_t length);
diff --git a/g10/keygen.c b/g10/keygen.c
index 98ef29e..0180581 100644
index 98ef29efb..0180581d3 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1838,7 +1838,7 @@ check_keygrip (ctrl_t ctrl, const char *hexgrip)
......@@ -159,7 +159,7 @@ index 98ef29e..0180581 100644
diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c
index ece8668..b50d338 100644
index ece8668f6..b50d338ae 100644
--- a/sm/certreqgen-ui.c
+++ b/sm/certreqgen-ui.c
@@ -95,7 +95,7 @@ check_keygrip (ctrl_t ctrl, const char *hexgrip)
......
......@@ -25,7 +25,7 @@ GnuPG-bug-id: 2973
4 files changed, 26 insertions(+), 22 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index b79b783..3b82b44 100644
index b79b78334..3b82b4457 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1824,7 +1824,8 @@ are available for all keyserver types, some common options are:
......@@ -50,7 +50,7 @@ index b79b783..3b82b44 100644
@table @asis
diff --git a/g10/export.c b/g10/export.c
index 8668126..207f994 100644
index 86681264d..207f9949b 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -247,16 +247,17 @@ export_pubkeys (ctrl_t ctrl, strlist_t users, unsigned int options,
......@@ -116,7 +116,7 @@ index 8668126..207f994 100644
clean_key (keyblock, opt.verbose, (options&EXPORT_MINIMAL), NULL, NULL);
diff --git a/g10/gpg.c b/g10/gpg.c
index 2a4a0ad..5a880fd 100644
index 2a4a0addf..5a880fd53 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -4546,7 +4546,7 @@ main (int argc, char **argv)
......@@ -138,7 +138,7 @@ index 2a4a0ad..5a880fd 100644
export_release_stats (stats);
}
diff --git a/g10/main.h b/g10/main.h
index 5ed501b..6837e98 100644
index 5ed501b3c..6837e989e 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -397,8 +397,10 @@ gpg_error_t parse_and_set_export_filter (const char *string);
......
......@@ -16,7 +16,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/common/stringhelp.c b/common/stringhelp.c
index dea2212..0abfa3d 100644
index dea2212c4..0abfa3d3a 100644
--- a/common/stringhelp.c
+++ b/common/stringhelp.c
@@ -1052,7 +1052,8 @@ do_percent_escape (const char *str, const char *extra, int die)
......@@ -44,7 +44,7 @@ index dea2212..0abfa3d 100644
{
ptr[i++] = '%';
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index 530c128..9358e2e 100644
index 530c1287f..9358e2efa 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -1490,6 +1490,13 @@ gc_percent_escape (const char *src)
......
......@@ -15,7 +15,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 8 insertions(+)
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 1456d28..a477e92 100644
index 1456d2867..a477e92c4 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -3053,6 +3053,8 @@ keyedit_quick_revuid (ctrl_t ctrl, const char *username, const char *uidtorev)
......@@ -28,7 +28,7 @@ index 1456d28..a477e92 100644
release_kbnode (keyblock);
keydb_release (kdbhd);
diff --git a/tests/openpgp/quick-key-manipulation.scm b/tests/openpgp/quick-key-manipulation.scm
index d43f7b5..ae1d0b9 100755
index d43f7b53a..ae1d0b963 100755
--- a/tests/openpgp/quick-key-manipulation.scm
+++ b/tests/openpgp/quick-key-manipulation.scm
@@ -36,6 +36,7 @@
......
......@@ -17,7 +17,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index b6c04dc..4e6f692 100644
index b6c04dcfc..4e6f6923d 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1173,7 +1173,8 @@ impex_filter_getval (void *cookie, const char *propname)
......
......@@ -20,7 +20,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/g10/getkey.c b/g10/getkey.c
index e39de28..21dcf08 100644
index e39de28ae..21dcf083c 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1592,8 +1592,10 @@ get_best_pubkey_byname (ctrl_t ctrl, GETKEY_CTX *retctx, PKT_public_key *pk,
......
......@@ -11,7 +11,7 @@ from trust-mode:foo to trust-model:foo.
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 3b82b44..d658737 100644
index 3b82b4457..d65873756 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1600,17 +1600,17 @@ Set what trust model GnuPG should follow. The models are:
......
......@@ -12,7 +12,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/g10/keylist.c b/g10/keylist.c
index abdcb9f..4078053 100644
index abdcb9f0a..407805357 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -465,6 +465,10 @@ print_signature_stats (struct keylist_context *s)
......
......@@ -14,7 +14,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index fe9c3c7..c9c16df 100644
index fe9c3c734..c9c16dfac 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -1847,6 +1847,7 @@ send_request (http_t hd, const char *httphost, const char *auth,
......
......@@ -18,7 +18,7 @@ Signed-off-by: Neal H. Walfield <neal@g10code.com>
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/g10/tofu.c b/g10/tofu.c
index 449e921..39457a5 100644
index 449e921b6..39457a501 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -2304,9 +2304,14 @@ build_conflict_set (tofu_dbs_t dbs,
......
......@@ -18,7 +18,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index bc2e071..35e6c82 100644
index bc2e071f8..35e6c8240 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -533,11 +533,35 @@ libdns_init (void)
......
......@@ -11,7 +11,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 35e6c82..c79a9c7 100644
index 35e6c8240..c79a9c7f4 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -568,8 +568,8 @@ libdns_init (void)
......
......@@ -17,7 +17,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/common/homedir.c b/common/homedir.c
index 6b40bb6..c41cbdc 100644
index 6b40bb6bf..c41cbdc7e 100644
--- a/common/homedir.c
+++ b/common/homedir.c
@@ -542,7 +542,7 @@ _gnupg_socketdir_internal (int skip_checks, unsigned *r_info)
......
......@@ -20,7 +20,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 2 insertions(+)
diff --git a/common/homedir.c b/common/homedir.c
index c41cbdc..4571aac 100644
index c41cbdc7e..4571aac7b 100644
--- a/common/homedir.c
+++ b/common/homedir.c
@@ -586,6 +586,8 @@ _gnupg_socketdir_internal (int skip_checks, unsigned *r_info)
......
......@@ -11,7 +11,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/g10/decrypt-data.c b/g10/decrypt-data.c
index 585b150..f5843d6 100644
index 585b1507f..f5843d6d7 100644
--- a/g10/decrypt-data.c
+++ b/g10/decrypt-data.c
@@ -222,7 +222,7 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek)
......
......@@ -12,7 +12,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/iobuf.c b/common/iobuf.c
index d346027..b8baf7f 100644
index d346027e4..b8baf7ff7 100644
--- a/common/iobuf.c
+++ b/common/iobuf.c
@@ -2552,7 +2552,7 @@ iobuf_read_line (iobuf_t a, byte ** addr_of_buffer,
......
......@@ -18,7 +18,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+)
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index 7f44ce5..bbb784a 100644
index 7f44ce532..bbb784a90 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -1572,6 +1572,7 @@ can_handle_critical (const byte * buffer, size_t n, int type)
......
......@@ -17,7 +17,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index c79a9c7..c2d5488 100644
index c79a9c7f4..c2d5488c1 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -538,10 +538,9 @@ libdns_init (void)
......
......@@ -18,7 +18,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index c2d5488..150237e 100644
index c2d5488c1..150237e53 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -550,24 +550,15 @@ libdns_init (void)
......
......@@ -13,7 +13,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+)
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 32db4bc..66350a7 100644
index 32db4bc69..66350a7bc 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1245,6 +1245,7 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
......
......@@ -32,7 +32,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
10 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
index 337fe6e..2700cf9 100644
index 337fe6e4d..2700cf932 100644
--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@@ -200,6 +200,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
......@@ -44,7 +44,7 @@ index 337fe6e..2700cf9 100644
ctrl->http_proxy, NULL, NULL, NULL);
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 43e9cbd..31d3ca2 100644
index 43e9cbd07..31d3ca235 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -112,6 +112,7 @@ enum cmd_and_opt_values {
......@@ -80,7 +80,7 @@ index 43e9cbd..31d3ca2 100644
return 1; /* Handled. */
}
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 6a4fd00..4cc2be0 100644
index 6a4fd003f..4cc2be0a9 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -97,7 +97,8 @@ struct
......@@ -94,7 +94,7 @@ index 6a4fd00..4cc2be0 100644
const char *http_proxy; /* The default HTTP proxy. */
const char *ldap_proxy; /* Use given LDAP proxy. */
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 150237e..ed77742 100644
index 150237e53..ed77742b4 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -123,6 +123,10 @@ static int opt_timeout;
......@@ -134,7 +134,7 @@ index 150237e..ed77742 100644
dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1);
dai->family = ai->ai_family;
diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
index 9b8303c..71605b7 100644
index 9b8303c3b..71605b741 100644
--- a/dirmngr/dns-stuff.h
+++ b/dirmngr/dns-stuff.h
@@ -99,6 +99,10 @@ void set_dns_verbose (int verbose, int debug);
......@@ -149,7 +149,7 @@ index 9b8303c..71605b7 100644
void set_dns_timeout (int seconds);
diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
index 811b72d..8a21c9f 100644
index 811b72de4..8a21c9f40 100644
--- a/dirmngr/ks-engine-finger.c
+++ b/dirmngr/ks-engine-finger.c
@@ -84,7 +84,8 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
......@@ -163,7 +163,7 @@ index 811b72d..8a21c9f 100644
if (err)
{
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 66350a7..7c91b6a 100644
index 66350a7bc..7c91b6a36 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -568,6 +568,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
......@@ -195,7 +195,7 @@ index 66350a7..7c91b6a 100644
session,
NULL,
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 69642ff..6de0616 100644
index 69642ff98..6de061699 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -89,7 +89,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
......@@ -209,7 +209,7 @@ index 69642ff..6de0616 100644
session,
NULL,
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index aff8e32..22391c3 100644
index aff8e3288..22391c32d 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -175,7 +175,8 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
......@@ -223,7 +223,7 @@ index aff8e32..22391c3 100644
if (err)
{
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index b00c2d3..9a7238f 100644
index b00c2d377..9a7238fb5 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -313,9 +313,10 @@ a numerical IP address must be given (IPv6 or IPv4) and that no error
......
......@@ -19,7 +19,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 37 insertions(+), 36 deletions(-)
diff --git a/agent/cache.c b/agent/cache.c
index 2483682..fead737 100644
index 248368277..fead73708 100644
--- a/agent/cache.c
+++ b/agent/cache.c
@@ -31,9 +31,8 @@
......
......@@ -13,7 +13,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/keylist.c b/g10/keylist.c
index 4078053..1998ee9 100644
index 407805357..1998ee9aa 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1017,7 +1017,7 @@ list_keyblock_print (ctrl_t ctrl, kbnode_t keyblock, int secret, int fpr,
......
......@@ -11,7 +11,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index d658737..c591049 100644
index d65873756..c591049f0 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -301,10 +301,13 @@ and other programs.
......
......@@ -11,7 +11,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index 869e7ed..ebfd4c3 100644
index 869e7ed2e..ebfd4c31f 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -4594,8 +4594,9 @@ dns_error_t dns_trace_fput(const struct dns_trace_event *te, const void *data, s
......
......@@ -16,7 +16,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/gpg-connect-agent.c b/tools/gpg-connect-agent.c
index a5413cf..5af1465 100644
index a5413cf61..5af146565 100644
--- a/tools/gpg-connect-agent.c
+++ b/tools/gpg-connect-agent.c
@@ -2237,7 +2237,7 @@ start_agent (void)
......
......@@ -17,7 +17,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index ed77742..c63d958 100644
index ed77742b4..c63d9583d 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -827,7 +827,7 @@ resolve_name_libdns (const char *name, unsigned short port,
......@@ -132,7 +132,7 @@ index ed77742..c63d958 100644
{
gpg_error_t err;
diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
index 71605b7..adb0b80 100644
index 71605b741..adb0b80b0 100644
--- a/dirmngr/dns-stuff.h
+++ b/dirmngr/dns-stuff.h
@@ -78,7 +78,7 @@ struct dns_addrinfo_s
......
......@@ -12,7 +12,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index c9c16df..674cb3d 100644
index c9c16dfac..674cb3d2e 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2415,13 +2415,13 @@ start_server ()
......
......@@ -11,7 +11,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/import.c b/g10/import.c
index 4e6f692..125b994 100644
index 4e6f6923d..125b9948b 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1235,7 +1235,7 @@ impex_filter_getval (void *cookie, const char *propname)
......
......@@ -16,7 +16,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/g10/export.c b/g10/export.c
index 207f994..ea9ffb4 100644
index 207f9949b..ea9ffb4d0 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -580,7 +580,7 @@ canon_pk_algo (enum gcry_pk_algos algo)
......@@ -38,7 +38,7 @@ index 207f994..ea9ffb4 100644
subkey_list_t subkey_list = NULL; /* Track already processed subkeys. */
int skip_until_subkey = 0;
diff --git a/g10/getkey.c b/g10/getkey.c
index 21dcf08..961d7de 100644
index 21dcf083c..961d7de22 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1640,7 +1640,8 @@ get_best_pubkey_byname (ctrl_t ctrl, GETKEY_CTX *retctx, PKT_public_key *pk,
......@@ -52,7 +52,7 @@ index 21dcf08..961d7de 100644
}
else
diff --git a/g10/tofu.c b/g10/tofu.c
index 39457a5..c3a4988 100644
index 39457a501..c3a4988cd 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -3857,7 +3857,7 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list,
......
......@@ -11,7 +11,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 31d3ca2..513e2a6 100644
index 31d3ca235..513e2a630 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1905,7 +1905,6 @@ handle_connections (assuan_fd_t listen_fd)
......
......@@ -15,7 +15,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/g10/keyring.c b/g10/keyring.c
index 328290e..d75fdbc 100644
index 328290ed8..d75fdbc7b 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -692,7 +692,6 @@ keyring_search_reset (KEYRING_HANDLE hd)
......
......@@ -15,7 +15,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index ebfd4c3..866f69d 100644
index ebfd4c31f..866f69dd5 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -9440,29 +9440,31 @@ void dns_ai_close(struct dns_addrinfo *ai) {
......
From: Werner Koch <wk@gnupg.org>
Date: Fri, 8 Jun 2018 10:45:21 +0200
Subject: gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other harm good as well be
done. Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.
CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
---
g10/mainproc.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/g10/mainproc.c b/g10/mainproc.c
index ac2ab03c9..79ad8d5a2 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -675,7 +675,14 @@ proc_plaintext( CTX c, PACKET *pkt )
if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
else if (opt.verbose)
- log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
+ {
+ /* We don't use print_utf8_buffer because that would require a
+ * string change which we don't want in 2.2. It is also not
+ * clear whether the filename is always utf-8 encoded. */
+ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
+ xfree (tmp);
+ }
free_md_filter_context (&c->mfx);
if (gcry_md_open (&c->mfx.md, 0, 0))
From: Justus Winter <justus@g10code.com>
Date: Tue, 13 Jun 2017 11:33:06 +0200
Subject: dirmngr: Implement querying nameservers over IPv6.
* dirmngr/dns.c (dns_so_check): Reinitialize sockets on address family
mismatch.
(enum dns_res_state): New states for querying over IPv6.
(dns_res_exec): Implement the new states by copying and modifying the
IPv4 variants. Branch to their respective counterparts if the current
list of resolvers using the current address family is exhausted.
--
This allows dirmngr to resolve names on systems where the nameservers
are only reachable via IPv6.
GnuPG-bug-id: 2990
Signed-off-by: Justus Winter <justus@g10code.com>
(cherry picked from commit 15d2a009931f44a60b9df6325f837add208459d6)
---
dirmngr/dns.c | 180 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 179 insertions(+), 1 deletion(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index 866f69dd5..c473e5a6a 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -7567,6 +7567,22 @@ int dns_so_check(struct dns_socket *so) {
retry:
switch (so->state) {
case DNS_SO_UDP_INIT:
+ if (so->remote.ss_family != so->local.ss_family) {
+ /* Family mismatch. Reinitialize. */
+ if ((error = dns_so_closefd(so, &so->udp)))
+ goto error;
+ if ((error = dns_so_closefd(so, &so->tcp)))
+ goto error;
+
+ /* If the user supplied an interface
+ statement, that is gone now. Sorry. */
+ memset(&so->local, 0, sizeof so->local);
+ so->local.ss_family = so->remote.ss_family;
+
+ if (-1 == (so->udp = dns_socket((struct sockaddr *)&so->local, SOCK_DGRAM, &error)))
+ goto error;
+ }
+
so->state++;
case DNS_SO_UDP_CONN:
error = dns_connect(so->udp, (struct sockaddr *)&so->remote, dns_sa_len(&so->remote));
@@ -7605,6 +7621,19 @@ retry:
so->state++;
case DNS_SO_TCP_INIT:
+ if (so->remote.ss_family != so->local.ss_family) {
+ /* Family mismatch. Reinitialize. */
+ if ((error = dns_so_closefd(so, &so->udp)))
+ goto error;
+ if ((error = dns_so_closefd(so, &so->tcp)))
+ goto error;
+
+ /* If the user supplied an interface
+ statement, that is gone now. Sorry. */
+ memset(&so->local, 0, sizeof so->local);
+ so->local.ss_family = so->remote.ss_family;
+ }
+
if (dns_so_tcp_keep(so)) {
so->state = DNS_SO_TCP_SEND;
@@ -8056,6 +8085,8 @@ enum dns_res_state {
DNS_R_RESOLV1_NS, /* Epilog: Inspect answer */
DNS_R_FOREACH_A,
DNS_R_QUERY_A,
+ DNS_R_FOREACH_AAAA,
+ DNS_R_QUERY_AAAA,
DNS_R_CNAME0_A,
DNS_R_CNAME1_A,
@@ -8715,8 +8746,22 @@ exec:
F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
if (!dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
- if (!dns_rr_i_count(&F->hints_j))
+ if (!dns_rr_i_count(&F->hints_j)) {
+ /* Check if we have in fact servers
+ with an IPv6 address. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_AAAA;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+ if (dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ /* We do. Reinitialize
+ iterator and handle it. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+ }
+
dgoto(R->sp, DNS_R_RESOLV0_NS);
+ }