Bug#771097: marked as done (unblock: libksba/1.3.2-1)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#771097: marked as done (unblock: libksba/1.3.2-1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 26 Nov 2014 18:15:06 +0000
Message-id: <[🔎] handler.771097.D771097.141702556813649.ackdone@bugs.debian.org>
References: <54761815.3080505@thykier.net> <[🔎] 20141126180422.GA25622@downhill.g.la>

Your message dated Wed, 26 Nov 2014 19:12:37 +0100
with message-id <54761815.3080505@thykier.net>
and subject line Re: Bug#771097: unblock: libksba/1.3.2-1
has caused the Debian Bug report #771097,
regarding unblock: libksba/1.3.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771097: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771097
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libksba/1.3.2-1
From: Andreas Metzler <ametzler@bebt.de>
Date: Wed, 26 Nov 2014 19:04:22 +0100
Message-id: <[🔎] 20141126180422.GA25622@downhill.g.la>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libksba 1.3.2-1 which fixes CVE-2014-9087, a
buffer overflow.
<http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html>

Upstream has specifically released 1.3.2 to fix this single bug.

unblock libksba/1.3.2-1

Find attached the filtered debdiff[1]

thanks, cu Andreas

[1] filterdiff -x '*/aclocal.m4' -x '*/config.guess' -x '*/config.sub' \
 -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' \
 -x '*/version.texi' -x '*/install-sh' -x '*/ltmain.sh' -x '*/missing' \
 -x '*/depcomp' -x '*/mdate-sh' -x '*/INSTALL' -x '*/config.rpath' \
 -x '*/ABOUT-NLS'
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

diff -Nru libksba-1.3.1/autogen.sh libksba-1.3.2/autogen.sh
--- libksba-1.3.1/autogen.sh	2014-01-10 13:31:26.000000000 +0100
+++ libksba-1.3.2/autogen.sh	2014-11-25 12:18:29.000000000 +0100
@@ -15,7 +15,7 @@
 # configure it for the respective package.  It is maintained as part of
 # GnuPG and source copied by other packages.
 #
-# Version: 2014-01-10
+# Version: 2014-06-06
 
 configure_ac="configure.ac"
 
@@ -41,7 +41,7 @@
 
 info () {
     if [ -z "${SILENT}" ]; then
-      echo "autogen.sh:" "$*"
+      echo "autogen.sh:" "$*" >&2
     fi
 }
 
@@ -70,8 +70,11 @@
 DIE=no
 FORCE=
 SILENT=
+PRINT_HOST=no
+PRINT_BUILD=no
 tmp=$(dirname "$0")
 tsdir=$(cd "${tmp}"; pwd)
+version_parts=3
 
 if [ -n "${AUTOGEN_SH_SILENT}" ]; then
   SILENT=" --silent"
@@ -88,6 +91,14 @@
   FORCE=" --force"
   shift
 fi
+if test x"$1" = x"--print-host"; then
+  PRINT_HOST=yes
+  shift
+fi
+if test x"$1" = x"--print-build"; then
+  PRINT_BUILD=yes
+  shift
+fi
 
 
 # Reject unsafe characters in $HOME, $tsdir and cwd.  We consider spaces
@@ -133,6 +144,11 @@
 myhost=""
 myhostsub=""
 case "$1" in
+    --find-version)
+        myhost="find-version"
+        SILENT=" --silent"
+        shift
+        ;;
     --build-w32)
         myhost="w32"
         shift
@@ -172,16 +188,74 @@
     . "$HOME/.gnupg-autogen.rc"
 fi
 
+
+# **** FIND VERSION ****
+# This is a helper for the configure.ac M4 magic
+# Called
+#   ./autogen.sh --find-version PACKAGE MAJOR MINOR [MICRO]
+# returns a complete version string with automatic beta numbering.
+if [ "$myhost" = "find-version" ]; then
+    package="$1"
+    major="$2"
+    minor="$3"
+    micro="$4"
+
+    case "$version_parts" in
+      2)
+        matchstr1="$package-$major.[0-9]*"
+        matchstr2="$package-$major-base"
+        vers="$major.$minor"
+        ;;
+      *)
+        matchstr1="$package-$major.$minor.[0-9]*"
+        matchstr2="$package-$major.$minor-base"
+        vers="$major.$minor.$micro"
+        ;;
+    esac
+
+    beta=no
+    if [ -d .git ]; then
+      ingit=yes
+      tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+      if [ -n "$tmp" ]; then
+          tmp=$(echo "$tmp"|awk -F- '$3!=0 && $3 !~ /^beta/ {print"-beta"$3}')
+      else
+          tmp=$(git describe --match "${matchstr2}" --long 2>/dev/null \
+                | awk -F- '$4!=0{print"-beta"$4}')
+      fi
+      [ -n "$tmp" ] && beta=yes
+      rev=$(git rev-parse --short HEAD | tr -d '\n\r')
+      rvd=$((0x$(echo ${rev} | head -c 4)))
+    else
+      ingit=no
+      beta=yes
+      tmp="-unknown"
+      rev="0000000"
+      rvd="0"
+    fi
+
+    echo "$package-$vers$tmp:$beta:$ingit:$vers$tmp:$vers:$tmp:$rev:$rvd:"
+    exit 0
+fi
+# **** end FIND VERSION ****
+
+
+if [ ! -f "$tsdir/build-aux/config.guess" ]; then
+    fatal "$tsdir/build-aux/config.guess not found"
+    exit 1
+fi
+build=`$tsdir/build-aux/config.guess`
+if [ $PRINT_BUILD = yes ]; then
+    echo "$build"
+    exit 0
+fi
+
+
+
 # ******************
 #  W32 build script
 # ******************
 if [ "$myhost" = "w32" ]; then
-    if [ ! -f "$tsdir/build-aux/config.guess" ]; then
-        fatal "$tsdir/build-aux/config.guess not found"
-        exit 1
-    fi
-    build=`$tsdir/build-aux/config.guess`
-
     case $myhostsub in
         ce)
           w32root="$w32ce_root"
@@ -189,6 +263,12 @@
           toolprefixes="$w32ce_toolprefixes arm-mingw32ce"
           extraoptions="$extraoptions $w32ce_extraoptions"
           ;;
+        64)
+          w32root="$w64root"
+          [ -z "$w32root" ] && w32root="$HOME/w64root"
+          toolprefixes="$w64_toolprefixes x86_64-w64-mingw32"
+          extraoptions="$extraoptions $w64_extraoptions"
+          ;;
         *)
           [ -z "$w32root" ] && w32root="$HOME/w32root"
           toolprefixes="$w32_toolprefixes i686-w64-mingw32 i586-mingw32msvc"
@@ -216,6 +296,10 @@
         fi
         die_p
     fi
+    if [ $PRINT_HOST = yes ]; then
+        echo "$host"
+        exit 0
+    fi
 
     if [ -f "$tsdir/config.log" ]; then
         if ! head $tsdir/config.log | grep "$host" >/dev/null; then
@@ -226,7 +310,7 @@
 
     $tsdir/configure --enable-maintainer-mode ${SILENT} \
              --prefix=${w32root}  \
-             --host=${host} --build=${build} \
+             --host=${host} --build=${build} SYSROOT=${w32root} \
              ${configure_opts} ${extraoptions} "$@"
     rc=$?
     exit $rc
@@ -236,13 +320,6 @@
 # ***** AMD64 cross build script *******
 # Used to cross-compile for AMD64 (for testing)
 if [ "$myhost" = "amd64" ]; then
-    shift
-    if [ ! -f $tsdir/build-aux/config.guess ]; then
-        echo "$tsdir/build-aux/config.guess not found" >&2
-        exit 1
-    fi
-    build=`$tsdir/build-aux/config.guess`
-
     [ -z "$amd64root" ] && amd64root="$HOME/amd64root"
     info "Using $amd64root as standard install directory"
     replace_sysroot
@@ -263,6 +340,10 @@
         echo "Stop." >&2
         exit 1
     fi
+    if [ $PRINT_HOST = yes ]; then
+        echo "$host"
+        exit 0
+    fi
 
     if [ -f "$tsdir/config.log" ]; then
         if ! head $tsdir/config.log | grep "$host" >/dev/null; then
diff -Nru libksba-1.3.1/ChangeLog libksba-1.3.2/ChangeLog
--- libksba-1.3.1/ChangeLog	2014-09-18 09:35:35.000000000 +0200
+++ libksba-1.3.2/ChangeLog	2014-11-25 12:38:13.000000000 +0100
@@ -1,3 +1,27 @@
+2014-11-25  Werner Koch  <wk@gnupg.org>
+
+	Release 1.3.2.
+	* configure.ac: Set LT version to C19/A11/R3.
+
+	build: Update version number magic.
+	* autogen.sh: Update from gnupg master.
+	* configure.ac: Change for new init style.  Create VERSION.
+	* Makefile.am (dist-hook): Do no create VERSION
+
+	Fix buffer overflow in ksba_oid_to_str.
+	* src/oid.c (ksba_oid_to_str): Fix unsigned underflow.
+
+	* tests/Makefile.am (noinst_PROGRAMS): Move t-oid to ..
+	(TESTS): here.
+	* tests/t-oid.c (test_oid_to_str): New.
+	(main): Run the new tests by default.  The former functionality
+	requires the use of one of the new options.
+
+2014-09-25  Werner Koch  <wk@gnupg.org>
+
+	Strip CRs while building the oid translation table.
+	* tests/Makefile.am (oidtranstbl.h): Strip CRs
+
 2014-09-18  Werner Koch  <wk@gnupg.org>
 
 	Release 1.3.1.
diff -Nru libksba-1.3.1/configure libksba-1.3.2/configure
diff -Nru libksba-1.3.1/configure.ac libksba-1.3.2/configure.ac
--- libksba-1.3.1/configure.ac	2014-09-18 09:33:28.000000000 +0200
+++ libksba-1.3.2/configure.ac	2014-11-25 12:30:38.000000000 +0100
@@ -27,23 +27,23 @@
 # bump the version number immediately after the release and do another
 # commit and push so that the git magic is able to work.  See below
 # for the LT versions.
-m4_define(mym4_version, [1.3.1])
+m4_define([mym4_package],[libksba])
+m4_define([mym4_major], [1])
+m4_define([mym4_minor], [3])
+m4_define([mym4_micro], [2])
 
-# Below is m4 magic to extract and compute the revision number, the
-# decimalized short revision number, a beta version string, and a flag
-# indicating a development version (mym4_isgit). Note that the m4
-# processing is done by autoconf and not during the configure run.
-m4_define([mym4_revision],
-          m4_esyscmd([git rev-parse --short HEAD | tr -d '\n\r']))
-m4_define([mym4_revision_dec],
-          m4_esyscmd_s([echo $((0x$(echo ]mym4_revision[|head -c 4)))]))
-m4_define([mym4_betastring],
-          m4_esyscmd_s([git describe --match 'libksba-[0-9].*[0-9]' --long|\
-                        awk -F- '$3!=0{print"-beta"$3}']))
-m4_define([mym4_isgit],m4_if(mym4_betastring,[],[no],[yes]))
-m4_define([mym4_full_version],[mym4_version[]mym4_betastring])
-
-AC_INIT([libksba],[mym4_full_version],[http://bugs.gnupg.org])
+# Below is m4 magic to extract and compute the git revision number,
+# the decimalized short revision number, a beta version string and a
+# flag indicating a development version (mym4_isbeta).  Note that the
+# m4 processing is done by autoconf and not during the configure run.
+m4_define([mym4_verslist], m4_split(m4_esyscmd([./autogen.sh --find-version] \
+                           mym4_package mym4_major mym4_minor mym4_micro),[:]))
+m4_define([mym4_isbeta],       m4_argn(2, mym4_verslist))
+m4_define([mym4_version],      m4_argn(4, mym4_verslist))
+m4_define([mym4_revision],     m4_argn(7, mym4_verslist))
+m4_define([mym4_revision_dec], m4_argn(8, mym4_verslist))
+m4_esyscmd([echo ]mym4_version[>VERSION])
+AC_INIT([mym4_package],[mym4_version], [http://bugs.gnupg.org])
 
 # LT Version numbers: Remember to change them just *before* a release.
 #   (Interfaces removed:    CURRENT++, AGE=0, REVISION=0)
@@ -52,7 +52,7 @@
 # Please remember to document interface changes in the NEWS file.
 LIBKSBA_LT_CURRENT=19
 LIBKSBA_LT_AGE=11
-LIBKSBA_LT_REVISION=2
+LIBKSBA_LT_REVISION=3
 #-------------------
 # If the API is changed in an incompatible way: increment the next counter.
 KSBA_CONFIG_API_VERSION=1
diff -Nru libksba-1.3.1/debian/changelog libksba-1.3.2/debian/changelog
--- libksba-1.3.1/debian/changelog	2014-09-26 19:27:40.000000000 +0200
+++ libksba-1.3.2/debian/changelog	2014-11-25 20:08:22.000000000 +0100
@@ -1,3 +1,10 @@
+libksba (1.3.2-1) unstable; urgency=high
+
+  * New upstream security release, fixing a buffer overflow in ksba_oid_to_str
+    in Libksba. Closes: #770972
+
+ -- Andreas Metzler <ametzler@debian.org>  Tue, 25 Nov 2014 20:05:54 +0100
+
 libksba (1.3.1-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru libksba-1.3.1/doc/ksba.info libksba-1.3.2/doc/ksba.info
--- libksba-1.3.1/doc/ksba.info	2014-09-18 09:35:34.000000000 +0200
+++ libksba-1.3.2/doc/ksba.info	2014-11-25 12:38:13.000000000 +0100
@@ -9,8 +9,8 @@
    This file documents the KSBA library to access X.509 and CMS data
 structures.
 
-   This is edition 1.3.1, last updated 15 March 2013, of `The KSBA
-Reference Manual', for Version 1.3.1.
+   This is edition 1.3.2, last updated 15 March 2013, of `The KSBA
+Reference Manual', for Version 1.3.2.
 
    Copyright (C) 2002, 2003, 2004 g10 Code GmbH
 
@@ -26,8 +26,8 @@
 Main Menu
 *********
 
-This is edition 1.3.1, last updated 15 March 2013, of `The KSBA
-Reference Manual', for Version 1.3.1 of the KSBA library.
+This is edition 1.3.2, last updated 15 March 2013, of `The KSBA
+Reference Manual', for Version 1.3.2 of the KSBA library.
 
    Copyright (C) 2002, 2003, 2004 g10 Code GmbH
 
diff -Nru libksba-1.3.1/doc/Makefile.in libksba-1.3.2/doc/Makefile.in
diff -Nru libksba-1.3.1/doc/stamp-vti libksba-1.3.2/doc/stamp-vti
diff -Nru libksba-1.3.1/doc/version.texi libksba-1.3.2/doc/version.texi
diff -Nru libksba-1.3.1/gl/Makefile.in libksba-1.3.2/gl/Makefile.in
diff -Nru libksba-1.3.1/m4/gpg-error.m4 libksba-1.3.2/m4/gpg-error.m4
--- libksba-1.3.1/m4/gpg-error.m4	2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/m4/gpg-error.m4	2014-11-25 12:15:20.000000000 +0100
@@ -1,5 +1,5 @@
 # gpg-error.m4 - autoconf macro to detect libgpg-error.
-# Copyright (C) 2002, 2003, 2004, 2011 g10 Code GmbH
+# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH
 #
 # This file is free software; as a special exception the author gives
 # unlimited permission to copy and/or distribute it, with or without
@@ -8,38 +8,64 @@
 # This file is distributed in the hope that it will be useful, but
 # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
 # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# Last-changed: 2014-10-02
+
 
 dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION,
 dnl                   [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS
+dnl
+dnl Test for libgpg-error and define GPG_ERROR_CFLAGS, GPG_ERROR_LIBS,
+dnl GPG_ERROR_MT_CFLAGS, and GPG_ERROR_MT_LIBS.  The _MT_ variants are
+dnl used for programs requireing real multi thread support.
+dnl
+dnl If a prefix option is not used, the config script is first
+dnl searched in $SYSROOT/bin and then along $PATH.  If the used
+dnl config script does not match the host specification the script
+dnl is added to the gpg_config_script_warn variable.
 dnl
 AC_DEFUN([AM_PATH_GPG_ERROR],
 [ AC_REQUIRE([AC_CANONICAL_HOST])
+  gpg_error_config_prefix=""
   dnl --with-libgpg-error-prefix=PFX is the preferred name for this option,
   dnl since that is consistent with how our three siblings use the directory/
   dnl package name in --with-$dir_name-prefix=PFX.
   AC_ARG_WITH(libgpg-error-prefix,
-            AC_HELP_STRING([--with-libgpg-error-prefix=PFX],
-                           [prefix where GPG Error is installed (optional)]),
-     gpg_error_config_prefix="$withval", gpg_error_config_prefix="")
+              AC_HELP_STRING([--with-libgpg-error-prefix=PFX],
+                             [prefix where GPG Error is installed (optional)]),
+              [gpg_error_config_prefix="$withval"])
 
   dnl Accept --with-gpg-error-prefix and make it work the same as
   dnl --with-libgpg-error-prefix above, for backwards compatibility,
   dnl but do not document this old, inconsistently-named option.
   AC_ARG_WITH(gpg-error-prefix,,
-     gpg_error_config_prefix="$withval", gpg_error_config_prefix="")
+              [gpg_error_config_prefix="$withval"])
 
-  if test x$gpg_error_config_prefix != x ; then
-     if test x${GPG_ERROR_CONFIG+set} != xset ; then
-        GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config
+  if test x"${GPG_ERROR_CONFIG}" = x ; then
+     if test x"${gpg_error_config_prefix}" != x ; then
+        GPG_ERROR_CONFIG="${gpg_error_config_prefix}/bin/gpg-error-config"
+     else
+       case "${SYSROOT}" in
+         /*)
+           if test -x "${SYSROOT}/bin/gpg-error-config" ; then
+             GPG_ERROR_CONFIG="${SYSROOT}/bin/gpg-error-config"
+           fi
+           ;;
+         '')
+           ;;
+          *)
+           AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.])
+           ;;
+       esac
      fi
   fi
 
-  AC_PATH_TOOL(GPG_ERROR_CONFIG, gpg-error-config, no)
+  AC_PATH_PROG(GPG_ERROR_CONFIG, gpg-error-config, no)
   min_gpg_error_version=ifelse([$1], ,0.0,$1)
   AC_MSG_CHECKING(for GPG Error - version >= $min_gpg_error_version)
   ok=no
-  if test "$GPG_ERROR_CONFIG" != "no" ; then
+  if test "$GPG_ERROR_CONFIG" != "no" \
+     && test -f "$GPG_ERROR_CONFIG" ; then
     req_major=`echo $min_gpg_error_version | \
                sed 's/\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
     req_minor=`echo $min_gpg_error_version | \
@@ -62,6 +88,8 @@
   if test $ok = yes; then
     GPG_ERROR_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --cflags`
     GPG_ERROR_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --libs`
+    GPG_ERROR_MT_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --cflags 2>/dev/null`
+    GPG_ERROR_MT_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --libs 2>/dev/null`
     AC_MSG_RESULT([yes ($gpg_error_config_version)])
     ifelse([$2], , :, [$2])
     gpg_error_config_host=`$GPG_ERROR_CONFIG $gpg_error_config_args --host 2>/dev/null || echo none`
@@ -73,16 +101,21 @@
 *** built for $gpg_error_config_host and thus may not match the
 *** used host $host.
 *** You may want to use the configure option --with-gpg-error-prefix
-*** to specify a matching config script.
+*** to specify a matching config script or use \$SYSROOT.
 ***]])
+        gpg_config_script_warn="$gpg_config_script_warn libgpg-error"
       fi
     fi
   else
     GPG_ERROR_CFLAGS=""
     GPG_ERROR_LIBS=""
+    GPG_ERROR_MT_CFLAGS=""
+    GPG_ERROR_MT_LIBS=""
     AC_MSG_RESULT(no)
     ifelse([$3], , :, [$3])
   fi
   AC_SUBST(GPG_ERROR_CFLAGS)
   AC_SUBST(GPG_ERROR_LIBS)
+  AC_SUBST(GPG_ERROR_MT_CFLAGS)
+  AC_SUBST(GPG_ERROR_MT_LIBS)
 ])
diff -Nru libksba-1.3.1/m4/libgcrypt.m4 libksba-1.3.2/m4/libgcrypt.m4
--- libksba-1.3.1/m4/libgcrypt.m4	2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/m4/libgcrypt.m4	2014-11-25 12:15:33.000000000 +0100
@@ -1,13 +1,15 @@
-dnl Autoconf macros for libgcrypt
-dnl       Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc.
-dnl
-dnl This file is free software; as a special exception the author gives
-dnl unlimited permission to copy and/or distribute it, with or without
-dnl modifications, as long as this notice is preserved.
-dnl
-dnl This file is distributed in the hope that it will be useful, but
-dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
-dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# libgcrypt.m4 - Autoconf macros to detect libgcrypt
+# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# Last-changed: 2014-10-02
 
 
 dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
@@ -20,19 +22,37 @@
 dnl this features allows to prevent build against newer versions of libgcrypt
 dnl with a changed API.
 dnl
+dnl If a prefix option is not used, the config script is first
+dnl searched in $SYSROOT/bin and then along $PATH.  If the used
+dnl config script does not match the host specification the script
+dnl is added to the gpg_config_script_warn variable.
+dnl
 AC_DEFUN([AM_PATH_LIBGCRYPT],
 [ AC_REQUIRE([AC_CANONICAL_HOST])
   AC_ARG_WITH(libgcrypt-prefix,
             AC_HELP_STRING([--with-libgcrypt-prefix=PFX],
                            [prefix where LIBGCRYPT is installed (optional)]),
      libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
-  if test x$libgcrypt_config_prefix != x ; then
-     if test x${LIBGCRYPT_CONFIG+set} != xset ; then
-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
+  if test x"${LIBGCRYPT_CONFIG}" = x ; then
+     if test x"${libgcrypt_config_prefix}" != x ; then
+        LIBGCRYPT_CONFIG="${libgcrypt_config_prefix}/bin/libgcrypt-config"
+     else
+       case "${SYSROOT}" in
+         /*)
+           if test -x "${SYSROOT}/bin/libgcrypt-config" ; then
+             LIBGCRYPT_CONFIG="${SYSROOT}/bin/libgcrypt-config"
+           fi
+           ;;
+         '')
+           ;;
+          *)
+           AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.])
+           ;;
+       esac
      fi
   fi
 
-  AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no)
+  AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no)
   tmp=ifelse([$1], ,1:1.2.0,$1)
   if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
      req_libgcrypt_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
@@ -108,8 +128,9 @@
 *** built for $libgcrypt_config_host and thus may not match the
 *** used host $host.
 *** You may want to use the configure option --with-libgcrypt-prefix
-*** to specify a matching config script.
+*** to specify a matching config script or use \$SYSROOT.
 ***]])
+        gpg_config_script_warn="$gpg_config_script_warn libgcrypt"
       fi
     fi
   else
diff -Nru libksba-1.3.1/m4/Makefile.in libksba-1.3.2/m4/Makefile.in
diff -Nru libksba-1.3.1/Makefile.am libksba-1.3.2/Makefile.am
--- libksba-1.3.1/Makefile.am	2014-01-10 12:56:56.000000000 +0100
+++ libksba-1.3.2/Makefile.am	2014-11-25 12:22:47.000000000 +0100
@@ -41,7 +41,6 @@
 SUBDIRS = m4 gl src ${tests} doc
 
 dist-hook: gen-ChangeLog
-	@set -e; echo "$(VERSION)" > $(distdir)/VERSION
 
 
 gen_start_date = 2011-12-01T00:00:00
diff -Nru libksba-1.3.1/Makefile.in libksba-1.3.2/Makefile.in
diff -Nru libksba-1.3.1/NEWS libksba-1.3.2/NEWS
--- libksba-1.3.1/NEWS	2014-09-18 09:33:28.000000000 +0200
+++ libksba-1.3.2/NEWS	2014-11-25 12:32:57.000000000 +0100
@@ -1,3 +1,9 @@
+Noteworthy changes in version 1.3.2 (2014-11-25) [C19/A11/R3]
+------------------------------------------------
+
+ * Fixed a buffer overflow in ksba_oid_to_str.
+
+
 Noteworthy changes in version 1.3.1 (2014-09-18)
 ------------------------------------------------
 
diff -Nru libksba-1.3.1/src/Makefile.in libksba-1.3.2/src/Makefile.in
diff -Nru libksba-1.3.1/src/oid.c libksba-1.3.2/src/oid.c
--- libksba-1.3.1/src/oid.c	2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/src/oid.c	2014-11-25 10:11:20.000000000 +0100
@@ -94,6 +94,8 @@
         val <<= 7;
         val |= buf[n] & 0x7f;
       }
+    if (val < 80)
+      goto badoid;
     val -= 80;
     sprintf (p, "2.%lu", val);
     p += strlen (p);
diff -Nru libksba-1.3.1/tests/Makefile.am libksba-1.3.2/tests/Makefile.am
--- libksba-1.3.1/tests/Makefile.am	2014-07-22 09:24:19.000000000 +0200
+++ libksba-1.3.2/tests/Makefile.am	2014-11-25 09:30:20.000000000 +0100
@@ -39,13 +39,13 @@
 BUILT_SOURCES = oidtranstbl.h
 CLEANFILES = oidtranstbl.h
 
-TESTS = cert-basic t-crl-parser t-dnparser
+TESTS = cert-basic t-crl-parser t-dnparser t-oid
 
 AM_CFLAGS = $(GPG_ERROR_CFLAGS)
 AM_LDFLAGS = -no-install
 
 noinst_HEADERS = t-common.h
-noinst_PROGRAMS = $(TESTS) t-cms-parser t-crl-parser t-dnparser t-ocsp t-oid
+noinst_PROGRAMS = $(TESTS) t-cms-parser t-crl-parser t-dnparser t-ocsp
 LDADD = ../src/libksba.la $(GPG_ERROR_LIBS)
 
 t_ocsp_SOURCES = t-ocsp.c sha1.c
@@ -59,6 +59,6 @@
         for i in /etc/dumpasn1 /usr/local/bin /usr/local/share /usr/bin \
                  /usr/share ; do \
           if test -f $$i/dumpasn1.cfg; then f=$$i/dumpasn1.cfg; break; fi; \
-        done; $(AWK) -f $(srcdir)/mkoidtbl.awk $$f >$@
+        done; tr -d '\r' <$$f | $(AWK) -f $(srcdir)/mkoidtbl.awk >$@
 
 LOG_COMPILER = $(VALGRIND)
diff -Nru libksba-1.3.1/tests/Makefile.in libksba-1.3.2/tests/Makefile.in
diff -Nru libksba-1.3.1/tests/t-dnparser.c libksba-1.3.2/tests/t-dnparser.c
--- libksba-1.3.1/tests/t-dnparser.c	2014-04-15 22:11:42.000000000 +0200
+++ libksba-1.3.2/tests/t-dnparser.c	2014-11-25 10:16:43.000000000 +0100
@@ -143,7 +143,7 @@
       if (!feof (stdin))
         fail ("read error or input too large");
 
-      fail ("no yet implemented");
+      fail ("not yet implemented");
 
     }
   else if (argc == 2 && !strcmp (argv[1], "--to-der") )
diff -Nru libksba-1.3.1/tests/t-oid.c libksba-1.3.2/tests/t-oid.c
--- libksba-1.3.1/tests/t-oid.c	2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/tests/t-oid.c	2014-11-25 11:36:11.000000000 +0100
@@ -27,6 +27,9 @@
 
 #include "../src/ksba.h"
 
+#define PGM "t-oid"
+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
+
 
 static void *
 read_into_buffer (FILE *fp, size_t *r_length)
@@ -68,23 +71,104 @@
 }
 
 
+static void
+test_oid_to_str (void)
+{
+  struct {
+    unsigned int binlen;
+    unsigned char *bin;
+    char *str;
+  } tests[] = {
+
+    {  7, "\x02\x82\x06\x01\x0A\x0C\x00",
+       "0.2.262.1.10.12.0"
+    },
+    {  7, "\x02\x82\x06\x01\x0A\x0C\x01",
+       "0.2.262.1.10.12.1"
+    },
+    {  7, "\x2A\x86\x48\xCE\x38\x04\x01",
+       "1.2.840.10040.4.1"
+    },
+    {  7, "\x2A\x86\x48\xCE\x38\x04\x03",
+       "1.2.840.10040.4.3"
+    },
+    { 10, "\x2B\x06\x01\x04\x01\xDA\x47\x02\x01\x01",
+      "1.3.6.1.4.1.11591.2.1.1"
+    },
+    {  3, "\x55\x1D\x0E",
+       "2.5.29.14"
+    },
+    {  9, "\x80\x02\x70\x50\x25\x46\xfd\x0c\xc0",
+       BADOID
+    },
+    {  1, "\x80",
+       BADOID
+    },
+    {  2, "\x81\x00",
+       "2.48"
+    },
+    {  2, "\x81\x01",
+       "2.49"
+    },
+    {  2, "\x81\x7f",
+       "2.175"
+    },
+    {  2, "\x81\x80",  /* legal encoding? */
+       "2.48"
+    },
+    {  2, "\x81\x81\x01",  /* legal encoding? */
+       "2.49"
+    },
+    {  0, "",
+       ""
+    },
+
+    { 0, NULL, NULL }
+  };
+  int tidx;
+  char *str;
+
+  for (tidx=0; tests[tidx].bin; tidx++)
+    {
+      str = ksba_oid_to_str (tests[tidx].bin, tests[tidx].binlen);
+      if (!str)
+        {
+          perror ("ksba_oid_to_str failed");
+          exit (1);
+        }
+      if (strcmp (tests[tidx].str, str))
+        {
+          fprintf (stderr, "ksba_oid_to_str test %d failed\n", tidx);
+          fprintf (stderr, "  got=%s\n", str);
+          fprintf (stderr, " want=%s\n", tests[tidx].str);
+          exit (1);
+        }
+    }
+}
+
 
 int
 main (int argc, char **argv)
 {
   gpg_error_t err;
+
   if (argc)
     {
       argc--;
       argv++;
     }
 
-  if (argc)
+
+  if (!argc)
+    {
+      test_oid_to_str ();
+    }
+  else if (!strcmp (*argv, "--from-str"))
     {
       unsigned char *buffer;
       size_t n, buflen;
 
-      for ( ;argc ; argc--, argv++)
+      for (argv++,argc-- ; argc; argc--, argv++)
         {
           err = ksba_oid_from_str (*argv, &buffer, &buflen);
           if (err)
@@ -100,18 +184,25 @@
           free (buffer);
         }
     }
-  else
+  else if (!strcmp (*argv, "--to-str"))
     {
       char *buffer;
       size_t buflen;
       char *result;
 
+      argv++;argc--;
+
       buffer = read_into_buffer (stdin, &buflen);
       result = ksba_oid_to_str (buffer, buflen);
       free (buffer);
       printf ("%s\n", result? result:"[malloc failed]");
       free (result);
     }
+  else
+    {
+      fputs ("usage: "PGM" [--from-str|--to-str]\n", stderr);
+      return 1;
+    }
 
   return 0;
 }
diff -Nru libksba-1.3.1/VERSION libksba-1.3.2/VERSION
--- libksba-1.3.1/VERSION	2014-09-18 09:35:35.000000000 +0200
+++ libksba-1.3.2/VERSION	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-1.3.1

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: Andreas Metzler <ametzler@bebt.de>, 771097-done@bugs.debian.org

Subject: Re: Bug#771097: unblock: libksba/1.3.2-1

From: Niels Thykier <niels@thykier.net>

Date: Wed, 26 Nov 2014 19:12:37 +0100

Message-id: <54761815.3080505@thykier.net>

In-reply-to: <[🔎] 20141126180422.GA25622@downhill.g.la>

References: <[🔎] 20141126180422.GA25622@downhill.g.la>
On 2014-11-26 19:04, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libksba 1.3.2-1 which fixes CVE-2014-9087, a
> buffer overflow.
> <http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html>
> 
> Upstream has specifically released 1.3.2 to fix this single bug.
> 
> unblock libksba/1.3.2-1
> 
> Find attached the filtered debdiff[1]
> 
> thanks, cu Andreas
> 
> [...]

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#771097: unblock: libksba/1.3.2-1
  - From: Andreas Metzler <ametzler@bebt.de>

Prev by Date: Bug#771069: unblock android-platform-build/21-4
Next by Date: Bug#770617: marked as done (unblock: polarssl/1.3.9-2)
Previous by thread: Bug#771097: unblock: libksba/1.3.2-1
Next by thread: Not sure to upload a fix for libsdl2 . Please advise
Index(es):
- Date
- Thread