[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914032: marked as done (stretch-pu: package gnupg2/2.1.18-8~deb9u4)

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #914032,
regarding stretch-pu: package gnupg2/2.1.18-8~deb9u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
914032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914032
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
Control: affects -1 src:gnupg2
Control: block 913614 by -1

When fixing #906545 (GnuPG rejects some malformed keys during import
instead of cleaning), i inadvertently introduced #913614 (GnuPG fails to
import keys when no TTY attached and --batch is not specified) into
debian stable.

This slipped through because there was no test for this particular use
case :( GnuPG upstream has stated that all automated/scripted use (the
typical situation where no TTY is present) should always specify
--batch, therefore the specific use case is considered out of scope,
despite apparently being widely used in places like docker scripts
without --batch.

The attached patch to the gnupg2 packaging in stable resolves #913614
without re-breaking #906545, and also introduces a test for the specific
use case for #913614.  The test should run both at build time and with
the autopkgtest suite.

Adrian Bunk tagged #913614 as severity serious, making it RC critical.
If we want to resolve the RC bug in debian stretch, then we need to use
something like the attached debdiff as gnupg2/2.1.18-8~deb9u4.
Alternately, if this is not RC-critical, then the bug report should have
its severity reduced.

Please let me know if you want me to go ahead with the upload, or if you
would like to see anything else addressed.  Apologies for the hassle.

Regards,

        --dkg


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)


diff -Nru gnupg2-2.1.18/debian/changelog gnupg2-2.1.18/debian/changelog
--- gnupg2-2.1.18/debian/changelog	2018-10-05 16:43:38.000000000 -0400
+++ gnupg2-2.1.18/debian/changelog	2018-11-18 12:20:52.000000000 -0500
@@ -1,3 +1,9 @@
+gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium
+
+  * Avoid crash when importing without a TTY (closes #913614)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sun, 18 Nov 2018 12:20:52 -0500
+
 gnupg2 (2.1.18-8~deb9u3) stretch; urgency=medium
 
   * block trivial access to scdaemon memory (Closes: #878952)
diff -Nru gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch
--- gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch	1969-12-31 19:00:00.000000000 -0500
+++ gnupg2-2.1.18/debian/patches/0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch	2018-11-16 00:45:16.000000000 -0500
@@ -0,0 +1,200 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 15 Nov 2018 18:24:56 -0500
+Subject: gpg: Avoid superfluous sig check info during import.
+
+* g10/key-check.c (print_info): New.
+(key_check_all_keysigs): Print sig checking results only in debug
+mode.  Prettify the stats info and suppress them in quiet mode.
+
+--
+
+This also makes usable stats by prefixing them with the key and the
+program name.
+
+GnuPG-bug-id: 3397
+Signed-off-by: Werner Koch <wk@gnupg.org>
+
+(cherry-picked/backported from upstream
+84af859e391a757877c9a1d78e35face983e6d23 by dkg)
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/keyedit.c | 133 +++++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 95 insertions(+), 38 deletions(-)
+
+diff --git a/g10/keyedit.c b/g10/keyedit.c
+index 3d6c5d4c4..bdeb251f9 100644
+--- a/g10/keyedit.c
++++ b/g10/keyedit.c
+@@ -329,6 +329,26 @@ print_and_check_one_sig (KBNODE keyblock, KBNODE node,
+ }
+ 
+ 
++/* Print PREFIX followed by TEXT.  With mode > 0 use log_info, with
++ * mode < 0 use ttyio, else print to stdout.  If TEXT is not NULL, it
++ * may be modified by this function.  */
++static void
++print_info (int mode, const char *prefix, char *text)
++{
++  char *p;
++
++  if (!text)
++    text = "";
++  else if ((p = strchr (text,'\n')))
++    *p = 0; /* Strip LF.  */
++
++   if (mode > 0)
++     log_info ("%s %s\n", prefix, text);
++   else
++     tty_fprintf (mode? NULL:es_stdout, "%s %s\n", prefix, text);
++}
++
++
+ 
+ /* Order two signatures.  The actual ordering isn't important.  Our
+    goal is to ensure that identical signatures occur together.  */
+@@ -766,8 +786,9 @@ check_all_keysigs (KBNODE kb, int only_selected, int only_selfsigs)
+                   has_selfsig = 1;
+               }
+ 
+-            if ((n2 && n2 != last_printed_component)
+-                || (! n2 && last_printed_component != current_component))
++            if (DBG_PACKET
++                && ((n2 && n2 != last_printed_component)
++                    || (! n2 && last_printed_component != current_component)))
+               {
+                 int is_reordered = n2 && n2 != current_component;
+                 if (n2)
+@@ -779,31 +800,32 @@ check_all_keysigs (KBNODE kb, int only_selected, int only_selfsigs)
+                   ;
+                 else if (last_printed_component->pkt->pkttype == PKT_USER_ID)
+                   {
+-                    tty_printf ("uid  ");
+-                    tty_print_utf8_string (last_printed_component
+-                                           ->pkt->pkt.user_id->name,
+-                                           last_printed_component
+-                                           ->pkt->pkt.user_id->len);
++                    log_debug ("uid  ");
++                    print_utf8_buffer (log_get_stream (),
++                                       last_printed_component
++                                       ->pkt->pkt.user_id->name,
++                                       last_printed_component
++                                       ->pkt->pkt.user_id->len);
++                    log_flush ();
+                   }
+                 else if (last_printed_component->pkt->pkttype
+                          == PKT_PUBLIC_KEY)
+-                  tty_printf ("pub  %s",
+-                              pk_keyid_str (last_printed_component
+-                                            ->pkt->pkt.public_key));
++                  log_debug ("pub  %s",
++                             pk_keyid_str (last_printed_component
++                                           ->pkt->pkt.public_key));
+                 else
+-                  tty_printf ("sub  %s",
+-                              pk_keyid_str (last_printed_component
+-                                            ->pkt->pkt.public_key));
++                  log_debug ("sub  %s",
++                             pk_keyid_str (last_printed_component
++                                           ->pkt->pkt.public_key));
+ 
+                 if (modified)
+                   {
+                     if (is_reordered)
+-                      tty_printf (_(" (reordered signatures follow)"));
+-                    tty_printf ("\n");
++                      log_debug ("%s\n", _(" (reordered signatures follow)"));
+                   }
+               }
+ 
+-            if (modified)
++            if (DBG_PACKET && modified)
+               print_one_sig (rc, kb, n, NULL, NULL, NULL, has_selfsig,
+                              0, only_selfsigs);
+           }
+@@ -910,28 +932,63 @@ check_all_keysigs (KBNODE kb, int only_selected, int only_selfsigs)
+       }
+   }
+ 
+-  if (dups || missing_issuer || bad_signature || reordered)
+-    tty_printf (_("key %s:\n"), pk_keyid_str (pk));
+-
+-  if (dups)
+-    tty_printf (ngettext ("%d duplicate signature removed\n",
+-                          "%d duplicate signatures removed\n", dups), dups);
+-  if (missing_issuer)
+-    tty_printf (ngettext ("%d signature not checked due to a missing key\n",
+-                          "%d signatures not checked due to missing keys\n",
+-                          missing_issuer), missing_issuer);
+-  if (bad_signature)
+-    tty_printf (ngettext ("%d bad signature\n",
+-                          "%d bad signatures\n",
+-                          bad_signature), bad_signature);
+-  if (reordered)
+-    tty_printf (ngettext ("%d signature reordered\n",
+-                          "%d signatures reordered\n",
+-                          reordered), reordered);
+-
+-  if (only_selfsigs && (bad_signature || reordered))
+-    tty_printf (_("Warning: errors found and only checked self-signatures,"
+-                  " run '%s' to check all signatures.\n"), "check");
++  if (!opt.quiet)
++    {
++      char prefix[100];
++      char *p;
++      int mode = 1;
++
++      /* To avoid string changes in 2.2 we strip the LF here. */
++      snprintf (prefix, sizeof prefix, _("key %s:\n"), pk_keyid_str (pk));
++      p = strrchr (prefix, '\n');
++      if (p)
++        *p = 0;
++
++      if (dups)
++        {
++          p = xtryasprintf
++            (ngettext ("%d duplicate signature removed\n",
++                       "%d duplicate signatures removed\n", dups), dups);
++          print_info (mode, prefix, p);
++          xfree (p);
++        }
++
++      if (missing_issuer)
++        {
++          p = xtryasprintf
++            (ngettext ("%d signature not checked due to a missing key\n",
++                       "%d signatures not checked due to missing keys\n",
++                       missing_issuer), missing_issuer);
++          print_info (mode, prefix, p);
++          xfree (p);
++        }
++      if (bad_signature)
++        {
++          p = xtryasprintf (ngettext ("%d bad signature\n",
++                                      "%d bad signatures\n",
++                                      bad_signature), bad_signature);
++          print_info (mode, prefix, p);
++          xfree (p);
++        }
++
++      if (reordered)
++        {
++          p = xtryasprintf (ngettext ("%d signature reordered\n",
++                                      "%d signatures reordered\n",
++                                      reordered), reordered);
++          print_info (mode, prefix, p);
++          xfree (p);
++        }
++
++      if (only_selfsigs && (bad_signature || reordered))
++        {
++          p = xtryasprintf
++            (_("Warning: errors found and only checked self-signatures,"
++               " run '%s' to check all signatures.\n"), "check");
++          print_info (mode, prefix, p);
++          xfree (p);
++        }
++    }
+ 
+   return modified;
+ }
diff -Nru gnupg2-2.1.18/debian/patches/series gnupg2-2.1.18/debian/patches/series
--- gnupg2-2.1.18/debian/patches/series	2018-10-05 16:43:38.000000000 -0400
+++ gnupg2-2.1.18/debian/patches/series	2018-11-16 00:45:16.000000000 -0500
@@ -91,3 +91,4 @@
 0091-gpg-Make-dry-run-work-for-secret-keys.patch
 0092-gpg-Print-sec-sbb-with-import-option-import-show-or-.patch
 0093-gpg-Check-and-fix-keys-on-import.patch
+0094-gpg-Avoid-superfluous-sig-check-info-during-import.patch
diff -Nru gnupg2-2.1.18/debian/rules gnupg2-2.1.18/debian/rules
--- gnupg2-2.1.18/debian/rules	2018-10-02 20:58:32.000000000 -0400
+++ gnupg2-2.1.18/debian/rules	2018-11-18 09:24:58.000000000 -0500
@@ -65,3 +65,9 @@
 # Make ldap a recommends rather than a hard dependency.
 	dpkg-shlibdeps -Tdebian/dirmngr.substvars -dRecommends debian/dirmngr/usr/lib/gnupg/dirmngr_ldap -dDepends debian/dirmngr/usr/bin/dirmngr*
 	dh_shlibdeps -Ndirmngr
+
+override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+	dh_auto_test --builddirectory=build
+	GPG=build/g10/gpg debian/tests/no-tty
+endif
diff -Nru gnupg2-2.1.18/debian/tests/control gnupg2-2.1.18/debian/tests/control
--- gnupg2-2.1.18/debian/tests/control	2018-10-02 20:58:32.000000000 -0400
+++ gnupg2-2.1.18/debian/tests/control	2018-11-16 00:45:16.000000000 -0500
@@ -1,3 +1,7 @@
 Tests: gpgv-win32
 Depends: gpgv-win32, gnupg2, gpgv2
 Restrictions: needs-root, allow-stderr
+
+Tests: no-tty
+Depends: gpg
+Restrictions: allow-stderr
diff -Nru gnupg2-2.1.18/debian/tests/linus.key gnupg2-2.1.18/debian/tests/linus.key
--- gnupg2-2.1.18/debian/tests/linus.key	1969-12-31 19:00:00.000000000 -0500
+++ gnupg2-2.1.18/debian/tests/linus.key	2018-11-16 00:45:16.000000000 -0500
@@ -0,0 +1,47 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBE55CJIBCACkn+aOLmsaq1ejUcXCAOXkO3w7eiLqjR/ziTL2KZ30p7bxP8cT
+UXvfM7fwE7EnqCCkji25x2xsoKXB8AlUswIEYUFCOupj2BOsVmJ/rKZW7fCvKTOK
++BguKjebDxNbgmif39bfSnHDWrW832f5HrYmZn7a/VySDQFdul8Gl/R6gs6PHJbg
+jjt+K7Px6cQVMVNvY/VBWdvA1zckO/4h6gf3kWWZN+Wlq8wv/pxft8QzNFgweH9o
+5bj4tnQ+wMCLCLiDsgEuVawoOAkg3dRMugIUoiKoBKw7b21q9Vjp4jezRvciC6Ys
+4kGUSFG1ZjIn3MpY3f3xZ3yuYwrxQ8JcA7KTABEBAAGIeQQTFggAIRYhBCPJPAso
+64wfaAYn4W1XDDyBEWM0BQJaNu6QAwUBeAAKCRBtVww8gRFjNBmuAQDjEE9X0jgG
+PnWFDdlIfKX0+X8CA/TTYamGPy6dqS7BKwEAy9odyw6nzohBBBx86HiY7yKySXjy
+7LJwgun2gtMf0giIeQQTFggAIRYhBCPJPAso64wfaAYn4W1XDDyBEWM0BQJaNvA+
+AwUBeAAKCRBtVww8gRFjNNlSAQDVCjzc/lbaWRdMx0f9HtNOXDq/4wHh10gWEaH/
+IlXhaQD+O6lRk+8Tbj/x3qeYL65z1BdP8s/SHkZ695nKKnlMdwqIowQRFgoASxYh
+BOU7YErdNopTm7nrM6oU6WIA9eAGBQJZumaILRpodHRwOi8vZm94Y3BwLmR1Y2tk
+bnMub3JnL3BncC1rZXktcG9saWN5LnR4dAAKCRCqFOliAPXgBllsAP9wkYbtcjsg
+VVPm1dJHOp3GLupyNkvfjsuG39HxNEQ70wD/dMYqhcsDTyAdorE2c4aX6kiWDDAY
+dWiidvBGO3fxSQu0JExpbnVzIFRvcnZhbGRzIDx0b3J2YWxkc0BrZXJuZWwub3Jn
+PokBTgQTAQgAOBYhBKuvEcZaKXCxMKvjxHm+PkMAQRiGBQJaHxkTAhsDBQsJCAcC
+BhUICQoLAgQWAgMBAh4BAheAAAoJEHm+PkMAQRiGzMcH/ieyxrsHR0ng3pi+qy1/
+sLiTT4WEBN53+1FsGWdP6/DCD3sprFdWDkkBDfh9vPCVzPqX7siZMJxw3+wOfjNn
+GBRiGj7mTE/1XeXJHDwFRyBEVa/bY8ExLKbvBf+xpiWOg2Myj5RYaOUBFbOEtfTP
+ob0FtvfZvK3PXkjODTHhDH7QJT2zNPivHG+ER5VyF1yJEpl10rDTM91NhEeV0n4w
+pfZkgL8a3JSzo9H2AJX3y35+Dk9wtNge440ZSVWAnjwxhBLX2R0LUszRhU925c0v
+P2l20eFncBmAT0NKpn7v9a670WHv45PluG+SKKktf6b5/BtfqpC3eV58I6FEtSVp
+M1u5AQ0ETnkIkgEIAN+ybgD0IlgKRPJ3eksafd+KORseBWwxUy3GH0yAg/4jZCsf
+HZ7jpbRKzxNTKW1kE6ClSqehUsuXT5Vc1eh6079erN3y+JNxl6zZPC9v+5GNyc28
+qSfNejt4wmwa/y86T7oQfgo77o8Gu/aO/xzOjw7jSDDR3u9p/hFVtsqzptxZzvs3
+hVaiLS+0mar9qYZheaCUqOXOKVo38Vg5gkOhMEwKvZs9x3fINU/t8ckxOHq6KiLa
+p5Bq87XP0ZJsCaMBwdLYhOFxAiEVtlzwyo3DvMplIahqqNELb71YDhpMq/Hu+42o
+R3pqASCPLfO/0GUSdAGXJVhv7L7ng02ETSBmVOUAEQEAAYh5BBMWCAAhFiEEI8k8
+CyjrjB9oBifhbVcMPIERYzQFAlo27pADBQF4AAoJEG1XDDyBEWM0Ga4BAOMQT1fS
+OAY+dYUN2Uh8pfT5fwID9NNhqYY/Lp2pLsErAQDL2h3LDqfOiEEEHHzoeJjvIrJJ
+ePLssnCC6faC0x/SCIh5BBMWCAAhFiEEI8k8CyjrjB9oBifhbVcMPIERYzQFAlo2
+8D4DBQF4AAoJEG1XDDyBEWM02VIBANUKPNz+VtpZF0zHR/0e005cOr/jAeHXSBYR
+of8iVeFpAP47qVGT7xNuP/Hep5gvrnPUF0/yz9IeRnr3mcoqeUx3CoijBBEWCgBL
+FiEE5TtgSt02ilObueszqhTpYgD14AYFAlm6ZogtGmh0dHA6Ly9mb3hjcHAuZHVj
+a2Rucy5vcmcvcGdwLWtleS1wb2xpY3kudHh0AAoJEKoU6WIA9eAGWWwA/3CRhu1y
+OyBVU+bV0kc6ncYu6nI2S9+Oy4bf0fE0RDvTAP90xiqFywNPIB2isTZzhpfqSJYM
+MBh1aKJ28EY7d/FJC4kBHwQYAQIACQUCTnkIkgIbDAAKCRB5vj5DAEEYhuobB/9F
+i1GVG5qnPq14S0WKYEW3N891L37LaXmDh977r/j2dyZOoYIiV4rx6a6urhq9Ubcg
+Nw/ke01TNM4y7EhW/lFnxJQXSMjdsXGcb9HwUevDk2FMV1h9gkHLlqRUlTpjVdQw
+TB9wMd4bWhZsxybTnGh6o8dCwBEaGNsHsSBYO81OXrTE/fcZEgKCeKW2xdKRiazu
+6Mu5WLU6gBy2nOc6oL2zKJZjACfllQzBx5+6z2N4Sj0JBOobz4RR2JLElMEckMbd
+qbIS+c+n02ItMmCORgakf74k+TEbaZx3ZTVHnhvqQqanZz1i4I5IwHJxkUsYLddg
+YrylZH+MwNDlB5u3I138
+=SIhC
+-----END PGP PUBLIC KEY BLOCK-----
diff -Nru gnupg2-2.1.18/debian/tests/no-tty gnupg2-2.1.18/debian/tests/no-tty
--- gnupg2-2.1.18/debian/tests/no-tty	1969-12-31 19:00:00.000000000 -0500
+++ gnupg2-2.1.18/debian/tests/no-tty	2018-11-16 00:45:16.000000000 -0500
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+# Ensure that import works fine without a tty (see
+# https://bugs.debian.org/913614)
+
+set -e
+GPG=${GPG:-gpg}
+export GNUPGHOME="$(mktemp -d)"
+
+cleanup() {
+    rm -rf "$GNUPGHOME"
+}
+trap cleanup EXIT
+
+setsid -w "$GPG" --import debian/tests/linus.key

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: