backporting fixes from master

NIIBE Yutaka gniibe at fsij.org
Fri Jan 9 01:19:55 CET 2015 

Hello,

Reviewing fixes in the master branch since 2.1.0, I backported
following change to 2.0 and 1.4.

    commit 68b4e7c9e4de0dc3580ca5af3cfd0f20a2691b5e
    Author: Werner Koch <wk at gnupg.org>
    Date:   Fri Dec 12 20:08:45 2014 +0100

        scd: Fix possibly inhibited checkpin of the admin pin.

        * scd/app-openpgp.c (do_check_pin): Do not check a byte of a released
        buffer.

        Signed-off-by: Werner Koch <wk at gnupg.org>

And I think that following eight fixes should be backported to 2.0.

Out of eight, six fixes can be just "git cherry-pick"-ed.

    commit cf88337f8a4f8c98aca4b1da5921d18567b4f474
    Author: Joshua Rogers <git at internot.info>
    Date:   Tue Dec 23 00:47:50 2014 +1100

        tools: Free variable before return

        * tools/gpgconf-comp.c: Free 'dest_filename' before it is returned
        upon error.
        --

        Signed-off-by: Joshua Rogers <git at internot.info>


    commit ed8383c618e124cfa708c9ee87563fcdf2f4649c
    Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
    Date:   Fri Dec 19 18:53:34 2014 -0500

        sm: Avoid double-free on iconv failure

        * sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
        double-free of pwbuf.

        --

        Observed by Joshua Rogers <honey at internot.info>, who proposed a
        slightly different fix.

        Debian-Bug-Id: 773472

        Added fix at a second place - wk.


    commit b0b3803e8c2959dd67ca96debc54b5c6464f0d41
    Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
    Date:   Fri Dec 19 18:07:55 2014 -0500

        scd: Avoid double-free on error condition in scd

        * scd/command.c (cmd_readkey): avoid double-free of cert

        --

        When ksba_cert_new() fails, cert will be double-freed.

        Debian-Bug-Id: 773471

        Original patch changed by wk to do the free only at leave.


    commit 367b073ab5f439ccf0750461d10c69f36998bd62
    Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
    Date:   Fri Dec 19 17:53:36 2014 -0500

        avoid future chance of using uninitialized memory

        * common/iobuf.c: (iobuf_open): initialize len

        --

        In iobuf_open, IOBUFCTRL_DESC and IOBUFCTRL_INIT commands are invoked
        (via file_filter()) on fcx, passing in a pointer to an uninitialized
        len.

        With these two commands, file_filter doesn't actually do anything with
        the value of len, so there's no actual risk of use of uninitialized
        memory in the code as it stands.

        However, some static analysis tools might flag this situation with a
        warning, and initializing the value doesn't hurt anything, so i think
        this trivial cleanup is warranted.

        Debian-Bug-Id: 773469


    commit 351bca9047d748c3c4f7e9a3cdc476af127b1da3
    Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
    Date:   Fri Dec 19 17:12:05 2014 -0500

        gpgkey2ssh: clean up varargs

        * tools/gpgkey2ssh.c (key_to_blob) : ensure that va_end is called.

        --

        stdarg(3) says:
               Each invocation of va_start() must be matched by a
               corresponding invocation of va_end() in the same function.

        Observed by Joshua Rogers <honey at internot.info>

        Debian-Bug-Id: 773415


    commit 6056d2467310260ddc0db2fe65b737ace6febcaa
    Author: Werner Koch <wk at gnupg.org>
    Date:   Mon Dec 22 12:44:13 2014 +0100

        doc: Fix memory leak in yat2m.

        * doc/yat2m.c (write_th): Free NAME.
        --

        Reported-by: Joshua Rogers <git at internot.info>


And two requires manual edit, but easy to apply.


****
    commit 193815030d20716d9a97850013ac3cc8749022c9
    Author: Werner Koch <wk at gnupg.org>
    Date:   Fri Dec 12 10:41:25 2014 +0100

        gpg: Fix possible read of unallocated memory

        * g10/parse-packet.c (can_handle_critical): Check content length
        before calling can_handle_critical_notation.
        --

        The problem was found by Jan Bee and gniibe proposed the used fix.
        Thanks.

        This bug can't be exploited: Only if the announced length of the
        notation is 21 or 32 a memcmp against fixed strings using that length
        would be done.  The compared data is followed by the actual signature
        and thus it is highly likely that not even read of unallocated memory
        will happen.  Nevertheless such a bug needs to be fixed.

        Signed-off-by: Werner Koch <wk at gnupg.org>

****
    commit abd5f6752d693b7f313c19604f0723ecec4d39a6
    Author: Werner Koch <wk at gnupg.org>
    Date:   Mon Dec 22 12:16:46 2014 +0100

        dirmngr,gpgsm: Return NULL on fail

        * dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL.
        * sm/gpgsm.c (parse_keyserver_line): Ditto.
        --

        Reported-by: Joshua Rogers <git at internot.info>

          "If something inside the ldapserver_parse_one function failed,
           'server' would be freed, then returned, leading to a
           use-after-free.  This code is likely copied from sm/gpgsm.c, which
           was also susceptible to this bug."

        Signed-off-by: Werner Koch <wk at gnupg.org>
--

More information about the Gnupg-devel mailing list