diff -u gpgme1.0-1.1.2/debian/patches/00list gpgme1.0-1.1.2/debian/patches/00list --- gpgme1.0-1.1.2/debian/patches/00list +++ gpgme1.0-1.1.2/debian/patches/00list @@ -2,0 +3 @@ +20_CVE-2007-1263.dpatch diff -u gpgme1.0-1.1.2/debian/control gpgme1.0-1.1.2/debian/control --- gpgme1.0-1.1.2/debian/control +++ gpgme1.0-1.1.2/debian/control @@ -1,7 +1,8 @@ Source: gpgme1.0 Priority: optional Section: libdevel -Maintainer: Jose Carlos Garcia Sogo +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Jose Carlos Garcia Sogo Build-Depends: debhelper (>> 4.1.40), libgpg-error-dev (>= 0.7-1), dpatch (>= 1.11) Standards-Version: 3.6.2 diff -u gpgme1.0-1.1.2/debian/changelog gpgme1.0-1.1.2/debian/changelog --- gpgme1.0-1.1.2/debian/changelog +++ gpgme1.0-1.1.2/debian/changelog @@ -1,3 +1,14 @@ +gpgme1.0 (1.1.2-2ubuntu0.1) edgy-security; urgency=low + + * SECURITY UPDATE: detect and bail out on double plaintext messages + * debian/patches/20_CVE-2007-1263.dpatch: upstream patch. + * References: + ftp://ftp.gnupg.org/gcrypt/gpgme/patches/gpgme-1.1.3-multiple-message.patch + CVE-2007-1263 + * debian/control: Change Maintainer/XSBC-Original-Maintainer field. + + -- Michael Bienia Fri, 9 Mar 2007 16:23:36 +0100 + gpgme1.0 (1.1.2-2) unstable; urgency=low * deian/patches: only in patch2: unchanged: --- gpgme1.0-1.1.2.orig/debian/patches/20_CVE-2007-1263.dpatch +++ gpgme1.0-1.1.2/debian/patches/20_CVE-2007-1263.dpatch @@ -0,0 +1,71 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 100_CVE-2007-1263.dpatch by Michael Bienia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad gpgme1.0-1.1.2~/gpgme/verify.c gpgme1.0-1.1.2/gpgme/verify.c +--- gpgme1.0-1.1.2~/gpgme/verify.c 2006-02-09 20:56:31.000000000 +0100 ++++ gpgme1.0-1.1.2/gpgme/verify.c 2007-03-09 16:11:55.000000000 +0100 +@@ -40,6 +40,7 @@ + gpgme_signature_t current_sig; + int did_prepare_new_sig; + int only_newsig_seen; ++ int plaintext_seen; + } *op_data_t; + + +@@ -549,8 +550,11 @@ + } + + ++/* Parse an error status line and if SET_STATUS is true update the ++ result status as appropriate. With SET_STATUS being false, only ++ check for an error. */ + static gpgme_error_t +-parse_error (gpgme_signature_t sig, char *args) ++parse_error (gpgme_signature_t sig, char *args, int set_status) + { + gpgme_error_t err; + char *where = strchr (args, ' '); +@@ -572,7 +576,16 @@ + + err = _gpgme_map_gnupg_error (which); + +- if (!strcmp (where, "verify.findkey")) ++ if (!strcmp (where, "proc_pkt.plaintext") ++ && gpg_err_code (err) == GPG_ERR_BAD_DATA) ++ { ++ /* This indicates a double plaintext. The only solid way to ++ handle this is by failing the oepration. */ ++ return gpg_error (GPG_ERR_BAD_DATA); ++ } ++ else if (!set_status) ++ ; ++ else if (!strcmp (where, "verify.findkey")) + sig->status = err; + else if (!strcmp (where, "verify.keyusage") + && gpg_err_code (err) == GPG_ERR_WRONG_KEY_USAGE) +@@ -670,9 +683,9 @@ + + case GPGME_STATUS_ERROR: + opd->only_newsig_seen = 0; +- /* The error status is informational, so we don't return an +- error code if we are not ready to process this status. */ +- return sig ? parse_error (sig, args) : 0; ++ /* Some error stati are informational, so we don't return an ++ error code if we are not ready to process this status. */ ++ return parse_error (sig, args, !!sig ); + + case GPGME_STATUS_EOF: + if (sig && !opd->did_prepare_new_sig) +@@ -703,6 +716,8 @@ + break; + + case GPGME_STATUS_PLAINTEXT: ++ if (++opd->plaintext_seen > 1) ++ return gpg_error (GPG_ERR_BAD_DATA); + err = _gpgme_parse_plaintext (args, &opd->result.file_name); + if (err) + return err;