[Gpg4win-commits] [git] Gpg4win - branch, gpg4win-2, updated. gpg4win-2.3.3-5-gbc7c1fc
by Andre Heinecke
cvs at cvs.gnupg.org
Thu Jul 6 10:26:56 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG for Windows".
The branch, gpg4win-2 has been updated
via bc7c1fcf6aeaa201749e063071829b3d42db20e7 (commit)
via 7c391a65f7662ad826bdb637f4cab3f679d2b822 (commit)
from 35cd7f2e17b7dae9760e353cf4278247cb5fb365 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit bc7c1fcf6aeaa201749e063071829b3d42db20e7
Author: Andre Heinecke <aheinecke at intevation.de>
Date: Thu Jul 6 10:22:40 2017 +0200
Maintenance update and fix for CVE-2017-7526
* packages/packages.current (libgcrypt): Update to 1.7.8.
(gpa): Update to 0.9.10
(libpng, curl, gnutls, gettext, libiconv, zlib): Update.
* NEWS: Mention changes.
* Makefile.am (EXTRA_DIST): Update accordingly.
* patches/gnutls-2.12.23: Move to gnutls-2.1.24
* patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch:
New.
--
This is in preperation for a 2.3.4 release, mainly to include
the newest libgcrypt. It is likely that not all gnutls patches
will apply. This will be fixed in a second commit.
diff --git a/Makefile.am b/Makefile.am
index e305b44..7482a24 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -36,16 +36,16 @@ EXTRA_DIST = autogen.sh README.GIT ONEWS \
patches/gnupg2/0006-gpgsm-Add-command-option-offline.patch \
patches/gnupg2/01-version.patch \
patches/gnupg2/01-version.patch.in \
- patches/gnutls-2.12.23/01-openssl-wincrypt.patch \
- patches/gnutls-2.12.23/02-cve-2013-2116.patch \
- patches/gnutls-2.12.23/03-cve-2014-1959.patch \
- patches/gnutls-2.12.23/04-cve-2014-0092.patch \
- patches/gnutls-2.12.23/05-cve-2014-3466.patch \
- patches/gnutls-2.12.23/06-cve-2015-0282.patch \
- patches/gnutls-2.12.23/07-cve-2015-0294.patch \
- patches/gnutls-2.12.23/fix-gcrypt-private-api-usage.patch \
- patches/gnutls-2.12.23/gnulib-mingw-w64-fix.patch \
- patches/gnutls-2.12.23/25_updatedgdocfrommaster.patch \
+ patches/gnutls-2.12.24/01-openssl-wincrypt.patch \
+ patches/gnutls-2.12.24/02-cve-2013-2116.patch \
+ patches/gnutls-2.12.24/03-cve-2014-1959.patch \
+ patches/gnutls-2.12.24/04-cve-2014-0092.patch \
+ patches/gnutls-2.12.24/05-cve-2014-3466.patch \
+ patches/gnutls-2.12.24/06-cve-2015-0282.patch \
+ patches/gnutls-2.12.24/07-cve-2015-0294.patch \
+ patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch \
+ patches/gnutls-2.12.24/gnulib-mingw-w64-fix.patch \
+ patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch \
patches/libtasn1-2.14/gnulib-mingw-w64-fix.patch \
patches/w32pth-2.0.5/workaround-broken-libtool.patch \
patches/scute-1.4.0/workaround-broken-libtool.patch \
@@ -55,7 +55,8 @@ EXTRA_DIST = autogen.sh README.GIT ONEWS \
patches/gpgol-1.4.0/0001-Fix-UI-Server-startup.patch \
patches/gpgol-1.4.0/0002-Ignore-sent-S-MIME-Mails-if-S-MIME-is-disabled.patch \
patches/gpgol-1.4.0/0003-Fix-loop-logic-error-in-new-server-name-detection.patch \
- patches/libgpg-error-1.23/0001-Define-EWOULDBLOCK-in-case-it-is-not-defined.patch
+ patches/libgpg-error-1.23/0001-Define-EWOULDBLOCK-in-case-it-is-not-defined.patch \
+ patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch
copy-news:
cp NEWS doc/website/NEWS.last
diff --git a/NEWS b/NEWS
index c28d33b..2859e44 100644
--- a/NEWS
+++ b/NEWS
@@ -5,11 +5,31 @@
Noteworthy changes in version 2.3.4 (unreleased)
------------------------------------------------
+(en) The cryptography library libgcrypt has been updated to version
+ 1.7.8 to include a fix for a side channel attack.
+ [CVE-2017-7526] Details:
+ https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
+
+(de) Die Kryptographie Bibliothek libgcrypt wurde auf Version 1.7.8
+ aktualisiert um einen möglichen Seitenkanalangriff zu beheben.
+ [CVE-2017-7526] Details (englisch):
+ https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html
+
+(en) Support libraries have been updated.
+
+(de) Verwendete Software Bibliotheken wurden aktualisiert.
+
+(en) GPA was updated to 0.9.10. This includes a fix for file handling
+ with filenames containing special characters.
+
+(de) GPA wurde auf die Version 0.9.10 aktualisiert. Dies beinhaltet
+ eine Fehlerkorrektur für den Umgang mit Dateinamen die besondere
+ Zeichen enthalten.
~~~~~~~~~~~~~~~
GnuPG: 2.0.30
Kleopatra: 2.2.0-gitfb4ae3d
-GPA: 0.9.9
+GPA: 0.9.10
GpgOL: 1.4.0
GpgEX: 1.0.4
Kompendium DE: 3.0.0
diff --git a/packages/packages.current b/packages/packages.current
index 3757724..9a54b97 100644
--- a/packages/packages.current
+++ b/packages/packages.current
@@ -17,10 +17,11 @@
#
server http://zlib.net
-# checked: 2014-06-20 ah
-file zlib-1.2.8.tar.gz
-chk 36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d
-
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 5ED4 6A67 21D3 6558 7791 E2AA 783F CD8E 58BC AFBA
+file zlib-1.2.11.tar.gz
+chk c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1
#
# GNU TLS and support libraries
@@ -28,13 +29,17 @@ chk 36658cb768a54c1d4dec43c3116c27ed893e88b02ecfcb44f2166f9c0b7f2a0d
server ftp://ftp.gnu.org/pub/gnu
-#checked: 2016-04-05 jochen
-file libiconv/libiconv-1.14.tar.gz
-chk 72b24ded17d687193c3366d0ebe7cde1e6b18f0df8c55438ac95be39e8a30613
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 68D9 4D8A AEEA D48A E7DC 5B90 4F49 4A94 2E46 16C2
+file libiconv/libiconv-1.15.tar.gz
+chk ccf536620a45458d26ba83887a983b96827001e92a13847b45e4925cc8913178
-#checked: 2016-04-05 jochen
-file gettext/gettext-0.19.5.tar.xz
-chk 3410a61c5c05d0392533c92133e135de828973fee27477a6d6dd3d3e36f2a2dd
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 4622 25C3 B46F 3487 9FC8 496C D605 848E D7E6 9871
+file gettext/gettext-0.19.8.tar.xz
+chk 9c1781328238caa1685d7bc7a2e1dcf1c6c134e86b42ed554066734b621bd12f
# checked: 2014-06-20 ah
file gsasl/libgsasl-1.8.0.tar.gz
@@ -46,10 +51,11 @@ chk bc2936cd20267859278145e563427c274d27aaae30ecdf50a04cdd4ec0153d54
server ftp://ftp.gnutls.org/gcrypt
-# checked: 2016-07-04 ah
-# verified with key 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171
-file gnutls/v2.12/gnutls-2.12.23.tar.bz2
-chk dfa67a7e40727eb0913e75f3c44911d5d8cd58d1ead5acfe73dd933fc0d17ed2
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171
+file gnutls/v2.12/gnutls-2.12.24.tar.xz
+chk 792e127c97e5b72bacbbdad16ba7532dc7d81a6197087a574549f473c1627ce7
#
@@ -58,10 +64,11 @@ chk dfa67a7e40727eb0913e75f3c44911d5d8cd58d1ead5acfe73dd933fc0d17ed2
server http://curl.haxx.se/download
-# checked: 2015-08-17 ah - updated
-# verified with key 27ED EAF2 2F3A BCEB 50DB 9A12 5CC9 08FD B71E 12C2
-file curl-7.50.1.tar.gz
-chk 3e392cf600822b817be82d9080b377fcbab70538d5a8bf525a1cd66e157b99ea
+# last-changed: 2017-07-06
+# by: ah
+# verified: Sig 27ED EAF2 2F3A BCEB 50DB 9A12 5CC9 08FD B71E 12C2
+file curl-7.54.1.tar.bz2
+chk fdfc4df2d001ee0c44ec071186e770046249263c491fcae48df0e1a3ca8f25a0
#
# GLIB
@@ -234,12 +241,12 @@ chk 677d6055494e24cad6c49eab33eee618ddc6ed65da827c8b5b7da761b4063278
# PNG
-# last changed: 2015-11-13
+# last changed: 2016-07-06
# by: ah
# verified: Sig 8048 643B A2C8 40F4 F92A 195F F549 84BF A16C 640F
server ftp://ftp.simplesystems.org/pub/png/src/
-file libpng14/libpng-1.4.19.tar.xz
-chk 52b830ea8900fad3ed46fc91021355211f418c8a41c39699600dbf1db2bbf7ff
+file libpng14/libpng-1.4.20.tar.xz
+chk f425d0b218fe025616a751c5c0051481fbbeac32d06c79a265e9bd5aef470275
#
# LibFFI
@@ -308,10 +315,10 @@ server ftp://ftp.gnupg.org/gcrypt
file libgpg-error/libgpg-error-1.23.tar.bz2
chk 7f0c7f65b98c4048f649bfeebfa4d4c1559707492962504592b985634c939eaa
-# last changed: 2016-08-17
+# last changed: 2017-07-06
# by: ah
-file libgcrypt/libgcrypt-1.6.6.tar.bz2
-chk f9461b4619bb78b273a88d468915750d418e89a3ea3b641bab0563a9af4b04d0
+file libgcrypt/libgcrypt-1.7.8.tar.bz2
+chk 948276ea47e6ba0244f36a17b51dcdd52cfd1e664b0a1ac3bc82134fb6cec199
# last-changed: 2016-07-04
# by: ah
@@ -348,10 +355,10 @@ chk bd698a853375324c4ff590899c1994be83d8d0a1400fcaf489529646965fb745
file gpgme/gpgme-1.6.0.tar.bz2
chk b09de4197ac280b102080e09eaec6211d081efff1963bf7821cf8f4f9916099d
-# last changed: 2015-09-09
+# last changed: 2017-07-06
# by: ah
-file gpa/gpa-0.9.9.tar.bz2
-chk 6828d738b9e1d3cce96d2ec9831c09873c4cb2c87ba67a161ef54485192c4334
+file gpa/gpa-0.9.10.tar.bz2
+chk c3b9cc36fd9916e83524930f99df13b1d5f601f4c0168cb9f5d81422e282b727
# (Snapshots)
# server ftp://ftp.g10code.com/g10code/scratch
diff --git a/patches/gnutls-2.12.23/01-openssl-wincrypt.patch b/patches/gnutls-2.12.24/01-openssl-wincrypt.patch
similarity index 100%
rename from patches/gnutls-2.12.23/01-openssl-wincrypt.patch
rename to patches/gnutls-2.12.24/01-openssl-wincrypt.patch
diff --git a/patches/gnutls-2.12.23/02-cve-2013-2116.patch b/patches/gnutls-2.12.24/02-cve-2013-2116.patch
similarity index 100%
rename from patches/gnutls-2.12.23/02-cve-2013-2116.patch
rename to patches/gnutls-2.12.24/02-cve-2013-2116.patch
diff --git a/patches/gnutls-2.12.23/03-cve-2014-1959.patch b/patches/gnutls-2.12.24/03-cve-2014-1959.patch
similarity index 100%
rename from patches/gnutls-2.12.23/03-cve-2014-1959.patch
rename to patches/gnutls-2.12.24/03-cve-2014-1959.patch
diff --git a/patches/gnutls-2.12.23/04-cve-2014-0092.patch b/patches/gnutls-2.12.24/04-cve-2014-0092.patch
similarity index 100%
rename from patches/gnutls-2.12.23/04-cve-2014-0092.patch
rename to patches/gnutls-2.12.24/04-cve-2014-0092.patch
diff --git a/patches/gnutls-2.12.23/05-cve-2014-3466.patch b/patches/gnutls-2.12.24/05-cve-2014-3466.patch
similarity index 100%
rename from patches/gnutls-2.12.23/05-cve-2014-3466.patch
rename to patches/gnutls-2.12.24/05-cve-2014-3466.patch
diff --git a/patches/gnutls-2.12.23/06-cve-2015-0282.patch b/patches/gnutls-2.12.24/06-cve-2015-0282.patch
similarity index 100%
rename from patches/gnutls-2.12.23/06-cve-2015-0282.patch
rename to patches/gnutls-2.12.24/06-cve-2015-0282.patch
diff --git a/patches/gnutls-2.12.23/07-cve-2015-0294.patch b/patches/gnutls-2.12.24/07-cve-2015-0294.patch
similarity index 100%
rename from patches/gnutls-2.12.23/07-cve-2015-0294.patch
rename to patches/gnutls-2.12.24/07-cve-2015-0294.patch
diff --git a/patches/gnutls-2.12.23/25_updatedgdocfrommaster.patch b/patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch
similarity index 100%
rename from patches/gnutls-2.12.23/25_updatedgdocfrommaster.patch
rename to patches/gnutls-2.12.24/25_updatedgdocfrommaster.patch
diff --git a/patches/gnutls-2.12.23/fix-gcrypt-private-api-usage.patch b/patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch
similarity index 100%
rename from patches/gnutls-2.12.23/fix-gcrypt-private-api-usage.patch
rename to patches/gnutls-2.12.24/fix-gcrypt-private-api-usage.patch
diff --git a/patches/gnutls-2.12.23/gnulib-mingw-w64-fix.patch b/patches/gnutls-2.12.24/gnulib-mingw-w64-fix.patch
similarity index 100%
rename from patches/gnutls-2.12.23/gnulib-mingw-w64-fix.patch
rename to patches/gnutls-2.12.24/gnulib-mingw-w64-fix.patch
diff --git a/patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch b/patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch
new file mode 100755
index 0000000..9984bf4
--- /dev/null
+++ b/patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch
@@ -0,0 +1,61 @@
+#! /bin/sh
+patch -p1 -l -f $* < $0
+exit $?
+
+From ee3ec98dba5a8c98e9ca9737da633d0767d54214 Mon Sep 17 00:00:00 2001
+From: Andre Heinecke <aheinecke at intevation.de>
+Date: Sun, 14 May 2017 14:39:57 +0200
+Subject: [PATCH] Fix crash on filename conversion error
+
+* src/fileman.c (add_file): Handle conversion errors.
+
+--
+If g_filename_to_utf8 fails we now fall back to g_locale_to_utf8.
+If this still does not work we fall back to g_filename_display_name
+which replaces unconvertibale strings by question marks or unicode
+markup.
+Previously NULL pointer would be inserted as filenames, leading
+to crashes later on.
+
+This is especially important for windows where D&D files came
+in System encoding as well as "Double clicked" or "Open With" files.
+On windows filename_to_utf8 always assumes that the input is already
+UTF-8, because it's stupid. (or because the GTK File Dialog returns
+UTF-8 filenames) so the fallback to locale is especially important
+here.
+
+GnuPG-Bug-ID: T2185
+---
+ src/fileman.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/src/fileman.c b/src/fileman.c
+index 10824d4..cb0b67f 100644
+--- a/src/fileman.c
++++ b/src/fileman.c
+@@ -217,7 +217,22 @@ add_file (GpaFileManager *fileman, const gchar *filename)
+ gchar *filename_utf8;
+
+ /* The tree contains filenames in the UTF-8 encoding. */
+- filename_utf8 = g_filename_to_utf8 (filename, -1, NULL, NULL, NULL),
++ filename_utf8 = g_filename_to_utf8 (filename, -1, NULL, NULL, NULL);
++
++ /* Try to convert from the current locale as fallback. This is important
++ for windows where g_filename_to_utf8 does not take locale into account
++ because the filedialogs already convert to utf8. */
++ if (!filename_utf8)
++ {
++ filename_utf8 = g_locale_to_utf8 (filename, -1, NULL, NULL, NULL);
++ }
++
++ /* Last fallback is guranteed to never be NULL so in doubt we can still fail
++ later showing a filename that can't be found to the user etc.*/
++ if (!filename_utf8)
++ {
++ filename_utf8 = g_filename_display_name (filename);
++ }
+
+ store = GTK_LIST_STORE (gtk_tree_view_get_model
+ (GTK_TREE_VIEW (fileman->list_files)));
+--
+2.11.0
commit 7c391a65f7662ad826bdb637f4cab3f679d2b822
Author: Andre Heinecke <aheinecke at intevation.de>
Date: Tue Jan 31 10:42:32 2017 +0100
Fix gcc library paths for mkportable
* mkportable-full.h,
mkportable-light.h,
mkportable-vanilla.h: Search libgcc and libstdcc in the top dir
where they are installed.
diff --git a/src/mkportable-full.h b/src/mkportable-full.h
index f2df2fe..661d020 100644
--- a/src/mkportable-full.h
+++ b/src/mkportable-full.h
@@ -148,8 +148,7 @@ const char * const full_files[] =
"pub/gpgconf.exe",
"pub/gpgsm.exe",
"pub/gpgv.exe",
- "pub/libgcc_s_sjlj-1.dll",
- "pub/libstdc++-6.dll",
+ "libstdc++-6.dll",
"qdbus.exe",
"qt.conf",
"QtCore4.dll",
diff --git a/src/mkportable-light.h b/src/mkportable-light.h
index 91ee2f1..54947da 100644
--- a/src/mkportable-light.h
+++ b/src/mkportable-light.h
@@ -102,8 +102,8 @@ const char * const light_files[] =
"pub/gpgconf.exe",
"pub/gpgsm.exe",
"pub/gpgv.exe",
- "pub/libgcc_s_sjlj-1.dll",
- "pub/libstdc++-6.dll",
+ "libgcc_s_sjlj-1.dll",
+ "libstdc++-6.dll",
"scdaemon.exe",
"scute.dll",
"sha1sum.exe",
diff --git a/src/mkportable-vanilla.h b/src/mkportable-vanilla.h
index cbed38e..d47818c 100644
--- a/src/mkportable-vanilla.h
+++ b/src/mkportable-vanilla.h
@@ -45,8 +45,8 @@ const char * const vanilla_files[] =
"pub/gpgconf.exe",
"pub/gpgsm.exe",
"pub/gpgv.exe",
- "pub/libgcc_s_sjlj-1.dll",
- "pub/libstdc++-6.dll",
+ "libgcc_s_sjlj-1.dll",
+ "libstdc++-6.dll",
"scdaemon.exe",
"scute.dll",
"sha1sum.exe",
-----------------------------------------------------------------------
Summary of changes:
Makefile.am | 23 ++++----
NEWS | 22 +++++++-
packages/packages.current | 61 ++++++++++++----------
.../01-openssl-wincrypt.patch | 0
.../02-cve-2013-2116.patch | 0
.../03-cve-2014-1959.patch | 0
.../04-cve-2014-0092.patch | 0
.../05-cve-2014-3466.patch | 0
.../06-cve-2015-0282.patch | 0
.../07-cve-2015-0294.patch | 0
.../25_updatedgdocfrommaster.patch | 0
.../fix-gcrypt-private-api-usage.patch | 0
.../gnulib-mingw-w64-fix.patch | 0
...01-Fix-crash-on-filename-conversion-error.patch | 61 ++++++++++++++++++++++
src/mkportable-full.h | 3 +-
src/mkportable-light.h | 4 +-
src/mkportable-vanilla.h | 4 +-
17 files changed, 133 insertions(+), 45 deletions(-)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/01-openssl-wincrypt.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/02-cve-2013-2116.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/03-cve-2014-1959.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/04-cve-2014-0092.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/05-cve-2014-3466.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/06-cve-2015-0282.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/07-cve-2015-0294.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/25_updatedgdocfrommaster.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/fix-gcrypt-private-api-usage.patch (100%)
rename patches/{gnutls-2.12.23 => gnutls-2.12.24}/gnulib-mingw-w64-fix.patch (100%)
create mode 100755 patches/gpa-0.9.10/0001-Fix-crash-on-filename-conversion-error.patch
hooks/post-receive
--
GnuPG for Windows
http://git.gnupg.org
More information about the Gpg4win-commits
mailing list