* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
--
The keyring DB code did not reject packets which don't belong into a
keyring. If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).
We now skip all packets which are not allowed in a keyring.
Reported-by: Hanno Böck <hanno@hboeck.de>
(back ported from commit f0f71a721c)
[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* include/dotlock.h: New. From current gnupg master.
* util/dotlock.c: Ditto. Include util.h. The major changes done in
master are: Factor Unix and W32 specific code out into specific
functions. Define HAVE_POSIX_SYSTEM. Rearrange some functions.
(disable_dotlock): Rename to dotlock_disable.
(create_dotlock): Rename to dotlock_create and add a dummy arg.
(destroy_dotlock): Rename to dotlock_destroy.
(make_dotlock): Rename to dotlock_take.
(release_dotlock): Rename to dotlock_release.
(remove_lockfiles): Rename to dotlock_remove_lockfiles.
secret keyring files to be extra safe on filesystems that may not sync
data and metadata together (ext4). Also check return code from the
cache invalidation to make sure we're safe over NFS and similar.
* exec.c, sign.c: Change "can't open file" to "can't open" and "can't
create file" to "can't create" to be consistent with other strings so we
don't have to translate both.
keyring.c (keyring_rebuild_cache): Add "noisy" flag so cache rebuilds can
remain noisy when called for itself, and quiet when called as part of the
trustdb rebuild.
* trustdb.c (validate_keys): Rebuild the sig caches before building the
trustdb. Note that this is going to require some architectual
re-thinking, as it is agonizingly slow.
* keyring.c (keyring_rebuild_cache): Clear sig cache for any signatures
that we can no longer process (say, if the user removed support for a
necessary pubkey or digest algorithm).
the skipfnc to include a pointer to the user ID that matched.
* getkey.c (skip_disabled): Rename to skip_unusable, and add checks for
expired or revoked user IDs.
* options.skel: Note that keyserver.pgp.com isn't synchronized, and
explain the roundrobin a bit better.
* sig-check.c (check_key_signature2), import.c (import_one,
import_revoke_cert, chk_self_sigs, delete_inv_parts, collapse_uids,
merge_blocks): Make much quieter during import of slightly munged, but
recoverable, keys. Use log_error for unrecoverable import failures.
* keyring.c (keyring_rebuild_cache): Comment.
* sign.c (mk_notation_and_policy): Making a v3 signature with notations or
policy urls is an error, not an info (i.e. increment the errorcount).
Don't print the notation or policy url to stdout since it can be mixed
into the output stream when piping and munge the stream.
fully valid keys so that disabled keys are still counted in the web of
trust. (get_ownertrust_with_min): Do the same for the minimum ownertrust
calculation.
* parse-packet.c (dump_sig_subpkt): Show the notation names for
not-human-readable notations. Fix cosmetic off-by-one length counter.
* options.skel: Add explantion and commented-out
"no-mangle-dos-filenames".
* mainproc.c (proc_encrypted): Make string translatable.
* keyserver.c (keyserver_spawn): Quote ':', '%', and any 8-bit characters
in the uid strings sent to the keyserver helper.
* keyring.c (keyring_rebuild_cache): Lock the keyring while rebuilding the
signature caches to prevent another gpg from tampering with the temporary
copy.
* keygen.c (keygen_set_std_prefs): Include AES192 and AES256 in default
prefs.
* keyedit.c (show_prefs): Make strings translatable.
* keydb.c: Double the maximum number of keyrings to 40.
* gpgv.c (main): Fix bug #113 - gpgv should accept the
--ignore-time-conflict option.
* g10.c (main): --openpgp disables --pgpX. Double the amount of secure
memory to 32k (keys are getting bigger these days).
* Makefile.am: Makefile.am: Use @CAPLIBS@ to link in -lcap if we are using
capabilities.
per-desc item. Merge into one function since 'force_exact' is no longer
needed. (key_byname): Use new classify_user_id function, and new exact
flag in KEYDB_SEARCH_DESC.
* keyring.h, keyring.c (keyring_search): Return an optional index to show
which KEYDB_SEARCH_DESC was the matching one.
* keydb.h, keydb.c (keydb_search): Rename to keydb_search2, and pass the
optional index to keyring_search. Add a macro version of keydb_search
that calls this new function.
* export.c (do_export_stream): If the keyid! syntax is used, export only
that specified key. If the key in question is a subkey, export the
primary plus that subkey only.
interactive import if status is enabled.
* keyring.c (keyring_search): skipfnc didn't work properly with non-keyid
searches. Noted by Stefan Bellon.
* getkey.c (merge_selfsigs_main): Remove some unused code and make sure
that the pk selfsigversion member accounts for 1F direct sigs.
a given keyring is registered twice.
* keydb.h, keydb.c (keydb_add_resource): Use flags to indicate a default
keyring. (keydb_locate_writable): Prefer the default keyring if possible.
* g10.c (main): Add --default-keyring option.
section for random gatherers.
* keyring.c (create_tmp_file, rename_tmp_file): Create tmp files with
user-only permissions, but restore the original permissions if the user
has something special set.
* openfile.c (copy_options_file): Create new options file (gpg.conf) with
user-only permissions.
* keydb.c (keydb_add_resource): Create new keyrings with user-only
permissions.