[Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option
@ 2022-07-16 14:33 Fabrice Fontaine
  2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2022-07-16 14:33 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

--disable-regex has been dropped since version 2.2.22 and
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ba247a114c75a84473c11c1484013b09fbb9bcd1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/gnupg2/gnupg2.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
index 906b79e0ab..0a2cebfab3 100644
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -16,7 +16,7 @@ GNUPG2_DEPENDENCIES = zlib libgpg-error libgcrypt libassuan libksba libnpth \
 	$(if $(BR2_PACKAGE_LIBICONV),libiconv) host-pkgconf
 
 GNUPG2_CONF_OPTS = \
-	--disable-rpath --disable-regex \
+	--disable-rpath \
 	--with-libgpg-error-prefix=$(STAGING_DIR)/usr \
 	--with-libgcrypt-prefix=$(STAGING_DIR)/usr \
 	--with-libassuan-prefix=$(STAGING_DIR)/usr \
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7
  2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
@ 2022-07-16 14:33 ` Fabrice Fontaine
  2022-08-03 20:43   ` Peter Korsgaard
  2022-07-16 15:32 ` [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Yann E. MORIN
  2022-08-03 20:43 ` Peter Korsgaard
  2 siblings, 1 reply; 5+ messages in thread
From: Fabrice Fontaine @ 2022-07-16 14:33 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

Fix CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an
attacker possesses any secret-key information from a victim's keyring
and other constraints (e.g., use of GPGME) are met, allows signature
forgery via injection into the status line.

https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/gnupg2/gnupg2.hash | 10 +++++-----
 package/gnupg2/gnupg2.mk   |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package/gnupg2/gnupg2.hash b/package/gnupg2/gnupg2.hash
index caf5dcc883..ec2654be7b 100644
--- a/package/gnupg2/gnupg2.hash
+++ b/package/gnupg2/gnupg2.hash
@@ -1,7 +1,7 @@
-# From https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/000460.html
-sha1  81684626720c91060ae9920936c768df9fc8b2f6  gnupg-2.2.32.tar.bz2
+# From https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html
+sha1  9255a70a984bfbfa5312a9a52a1cf47cb0d1fc84  gnupg-2.3.7.tar.bz2
 # Calculated based on the hash above and signature
-# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.32.tar.bz2.sig
-# using key 6DAA6E64A76D2840571B4902528897B826403ADA
-sha256  b2571b35f82c63e7d278aa6a1add0d73453dc14d3f0854be490c844fca7e0614  gnupg-2.2.32.tar.bz2
+# https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.7.tar.bz2.sig
+# using key 02F38DFF731FF97CB039A1DA549E695E905BA208
+sha256  ee163a5fb9ec99ffc1b18e65faef8d086800c5713d15a672ab57d3799da83669  gnupg-2.3.7.tar.bz2
 sha256  bc2d6664f6276fa0a72d57633b3ae68dc7dcb677b71018bf08c8e93e509f1357  COPYING
diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
index 0a2cebfab3..7d8424c136 100644
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GNUPG2_VERSION = 2.2.32
+GNUPG2_VERSION = 2.3.7
 GNUPG2_SOURCE = gnupg-$(GNUPG2_VERSION).tar.bz2
 GNUPG2_SITE = https://gnupg.org/ftp/gcrypt/gnupg
 GNUPG2_LICENSE = GPL-3.0+
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7
  2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
@ 2022-08-03 20:43   ` Peter Korsgaard
  0 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-08-03 20:43 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2022-34903: GnuPG through 2.3.6, in unusual situations where an
 > attacker possesses any secret-key information from a victim's keyring
 > and other constraints (e.g., use of GPGME) are met, allows signature
 > forgery via injection into the status line.

 > https://lists.gnupg.org/pipermail/gnupg-announce/2022q3/000474.html

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option
  2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
  2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
@ 2022-07-16 15:32 ` Yann E. MORIN
  2022-08-03 20:43 ` Peter Korsgaard
  2 siblings, 0 replies; 5+ messages in thread
From: Yann E. MORIN @ 2022-07-16 15:32 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

Fabrice, All,

On 2022-07-16 16:33 +0200, Fabrice Fontaine spake thusly:
> --disable-regex has been dropped since version 2.2.22 and
> https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ba247a114c75a84473c11c1484013b09fbb9bcd1
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Series of two patches applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/gnupg2/gnupg2.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/gnupg2/gnupg2.mk b/package/gnupg2/gnupg2.mk
> index 906b79e0ab..0a2cebfab3 100644
> --- a/package/gnupg2/gnupg2.mk
> +++ b/package/gnupg2/gnupg2.mk
> @@ -16,7 +16,7 @@ GNUPG2_DEPENDENCIES = zlib libgpg-error libgcrypt libassuan libksba libnpth \
>  	$(if $(BR2_PACKAGE_LIBICONV),libiconv) host-pkgconf
>  
>  GNUPG2_CONF_OPTS = \
> -	--disable-rpath --disable-regex \
> +	--disable-rpath \
>  	--with-libgpg-error-prefix=$(STAGING_DIR)/usr \
>  	--with-libgcrypt-prefix=$(STAGING_DIR)/usr \
>  	--with-libassuan-prefix=$(STAGING_DIR)/usr \
> -- 
> 2.35.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option
  2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
  2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
  2022-07-16 15:32 ` [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Yann E. MORIN
@ 2022-08-03 20:43 ` Peter Korsgaard
  2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2022-08-03 20:43 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > --disable-regex has been dropped since version 2.2.22 and
 > https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ba247a114c75a84473c11c1484013b09fbb9bcd1

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2022.05.x and 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-08-03 20:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-16 14:33 [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Fabrice Fontaine
2022-07-16 14:33 ` [Buildroot] [PATCH 2/2] package/gnupg2: security bump to version 2.3.7 Fabrice Fontaine
2022-08-03 20:43   ` Peter Korsgaard
2022-07-16 15:32 ` [Buildroot] [PATCH 1/2] package/gnupg2: drop unrecognized option Yann E. MORIN
2022-08-03 20:43 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox