* [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option
@ 2022-07-16 14:33 Fabrice Fontaine
2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-07-16 14:33 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
--disable-regex has been dropped since version 2.2.22 and
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ba247a114c75a84473c11c1484013b09fbb9bcd1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/gnupg2/gnupg2.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
index 906b79e0ab..0a2cebfab3 100644
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -16,7 +16,7 @@ GNUPG2_DEPENDENCIES = zlib libgpg-error libgcrypt libassuan libksba libnpth \
$(if $(BR2_PACKAGE_LIBICONV),libiconv) host-pkgconf
GNUPG2_CONF_OPTS = \
- --disable-rpath --disable-regex \
+ --disable-rpath \
--with-libgpg-error-prefix=$(STAGING_DIR)/usr \
--with-libgcrypt-prefix=$(STAGING_DIR)/usr \
--with-libassuan-prefix=$(STAGING_DIR)/usr \
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7
2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
@ 2022-07-16 14:33 ` Fabrice Fontaine
2022-08-03 20:43 ` Peter Korsgaard
2022-07-16 15:32 ` [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Yann E. MORIN
2022-08-03 20:43 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2022-07-16 14:33 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
Fix CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an
attacker possesses any secret-key information from a victim's keyring
and other constraints (e.g., use of GPGME) are met, allows signature
forgery via injection into the status line.
https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/gnupg2/gnupg2.hash | 10 +++++-----
package/gnupg2/gnupg2.mk | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/package/gnupg2/gnupg2.hash b/package/gnupg2/gnupg2.hash
index caf5dcc883..ec2654be7b 100644
--- a/package/gnupg2/gnupg2.hash
+++ b/package/gnupg2/gnupg2.hash
@@ -1,7 +1,7 @@
-# From https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/000460.html
-sha1 81684626720c91060ae9920936c768df9fc8b2f6 gnupg-2.2.32.tar.bz2
+# From https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
+sha1 9255a70a984bfbfa5312a9a52a1cf47cb0d1fc84 gnupg-2.3.7.tar.bz2
# Calculated based on the hash above and signature
-# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.32.tar.bz2.sig
-# using key 6DAA6E64A76D2840571B4902528897B826403ADA
-sha256 b2571b35f82c63e7d278aa6a1add0d73453dc14d3f0854be490c844fca7e0614 gnupg-2.2.32.tar.bz2
+# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.7.tar.bz2.sig
+# using key 02F38DFF731FF97CB039A1DA549E695E905BA208
+sha256 ee163a5fb9ec99ffc1b18e65faef8d086800c5713d15a672ab57d3799da83669 gnupg-2.3.7.tar.bz2
sha256 bc2d6664f6276fa0a72d57633b3ae68dc7dcb677b71018bf08c8e93e509f1357 COPYING
diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
index 0a2cebfab3..7d8424c136 100644
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GNUPG2_VERSION = 2.2.32
+GNUPG2_VERSION = 2.3.7
GNUPG2_SOURCE = gnupg-$(GNUPG2_VERSION).tar.bz2
GNUPG2_SITE = https://gnupg.org/ftp/gcrypt/gnupg
GNUPG2_LICENSE = GPL-3.0+
--
2.35.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option
2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
@ 2022-07-16 15:32 ` Yann E. MORIN
2022-08-03 20:43 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-07-16 15:32 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2022-07-16 16:33 +0200, Fabrice Fontaine spake thusly:
> --disable-regex has been dropped since version 2.2.22 and
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ba247a114c75a84473c11c1484013b09fbb9bcd1
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Series of two patches applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/gnupg2/gnupg2.mk | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
> index 906b79e0ab..0a2cebfab3 100644
> --- a/package/gnupg2/gnupg2.mk
> +++ b/package/gnupg2/gnupg2.mk
> @@ -16,7 +16,7 @@ GNUPG2_DEPENDENCIES = zlib libgpg-error libgcrypt libassuan libksba libnpth \
> $(if $(BR2_PACKAGE_LIBICONV),libiconv) host-pkgconf
>
> GNUPG2_CONF_OPTS = \
> - --disable-rpath --disable-regex \
> + --disable-rpath \
> --with-libgpg-error-prefix=$(STAGING_DIR)/usr \
> --with-libgcrypt-prefix=$(STAGING_DIR)/usr \
> --with-libassuan-prefix=$(STAGING_DIR)/usr \
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option
2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
2022-07-16 15:32 ` [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Yann E. MORIN
@ 2022-08-03 20:43 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-08-03 20:43 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> --disable-regex has been dropped since version 2.2.22 and
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ba247a114c75a84473c11c1484013b09fbb9bcd1
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.05.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7
2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
@ 2022-08-03 20:43 ` Peter Korsgaard
0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-08-03 20:43 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an
> attacker possesses any secret-key information from a victim's keyring
> and other constraints (e.g., use of GPGME) are met, allows signature
> forgery via injection into the status line.
> https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2022.05.x and 2022.02.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-03 20:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
2022-08-03 20:43 ` Peter Korsgaard
2022-07-16 15:32 ` [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Yann E. MORIN
2022-08-03 20:43 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox