From jason@wilma.widomaker.com  Tue Mar  6 13:44:10 2007
Return-Path: <jason@wilma.widomaker.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E1DE916A405
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 Mar 2007 13:44:10 +0000 (UTC)
	(envelope-from jason@wilma.widomaker.com)
Received: from wilma.widomaker.com (ip204-238-183-243.east.widomaker.com [204.238.183.243])
	by mx1.freebsd.org (Postfix) with ESMTP id 3047A13C481
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 Mar 2007 13:44:10 +0000 (UTC)
	(envelope-from jason@wilma.widomaker.com)
Received: from wilma.widomaker.com (localhost [127.0.0.1])
	by wilma.widomaker.com (8.13.8/8.13.6) with ESMTP id l26Di8eI013923;
	Tue, 6 Mar 2007 08:44:08 -0500 (EST)
	(envelope-from jason@wilma.widomaker.com)
Received: (from jason@localhost)
	by wilma.widomaker.com (8.13.8/8.13.6/Submit) id l26Di8Lc013922;
	Tue, 6 Mar 2007 08:44:08 -0500 (EST)
	(envelope-from jason)
Message-Id: <200703061344.l26Di8Lc013922@wilma.widomaker.com>
Date: Tue, 6 Mar 2007 08:44:08 -0500 (EST)
From: Jason Harris <jharris@widomaker.com>
Reply-To: Jason Harris <jharris@widomaker.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Jason Harris <jharris@widomaker.com>
Subject: ports/security/gnupg1 -> 1.4.7
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         109992
>Category:       ports
>Synopsis:       ports/security/gnupg1 -> 1.4.7
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kuriyama
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 06 13:50:05 GMT 2007
>Closed-Date:    Tue Mar 06 13:59:35 GMT 2007
>Last-Modified:  Tue Mar 06 13:59:35 GMT 2007
>Originator:     Jason Harris
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
N/A
>Environment:
System: FreeBSD 6.2-STABLE i386

>Description:
	Update ports/security/gnupg1 to 1.4.7 to work around a possible
	security hole.  From ./NEWS:

          * By default, do not allow processing multiple plaintexts in a
            single stream.  Many programs that called GnuPG were assuming
            that GnuPG did not permit this, and were thus not using the
            plaintext boundary status tags that GnuPG provides.  This change
            makes GnuPG reject such messages by default which makes those
            programs safe again.  --allow-multiple-messages returns to the
            old behavior.

>How-To-Repeat:
	Apply patch below.
	NB:  "cvs rm files/patch-configure"
>Fix:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

cvs server: Diffing .
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/Makefile,v
retrieving revision 1.92
diff -u -r1.92 Makefile
--- Makefile	25 Dec 2006 03:48:59 -0000	1.92
+++ Makefile	6 Mar 2007 13:37:00 -0000
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	gnupg
-PORTVERSION=	1.4.6
-PORTREVISION=	3
+PORTVERSION=	1.4.7
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	gnupg
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/distinfo,v
retrieving revision 1.39
diff -u -r1.39 distinfo
--- distinfo	9 Dec 2006 08:36:47 -0000	1.39
+++ distinfo	6 Mar 2007 13:37:00 -0000
@@ -1,6 +1,15 @@
-MD5 (gnupg-1.4.6.tar.bz2) = ec8dc6df1bd83c1d7e1a1ea10653f9f4
-SHA256 (gnupg-1.4.6.tar.bz2) = fd5a72418e55669b88076c2a6f11c3a59bf92a2071008567e65ae12b7372008e
-SIZE (gnupg-1.4.6.tar.bz2) = 3149454
-MD5 (gnupg-1.4.6.tar.bz2.sig) = 8b905292140d60fe493fab7d5b22c96d
-SHA256 (gnupg-1.4.6.tar.bz2.sig) = fb9294762932b34f2fd5a4b168f4c3a248aa7403c2aed8bffa5f67274b1b052d
-SIZE (gnupg-1.4.6.tar.bz2.sig) = 158
+MD5 (gnupg-1.4.7.tar.bz2) = b06a141cca5cd1a55bbdd25ab833303c
+SHA1 (gnupg-1.4.7.tar.bz2) = 22149105845c79068771837c8deb7d5ba0854927
+RMD160 (gnupg-1.4.7.tar.bz2) = 630344c99834cf9adcf806d55e6f609a1e50bd8b
+SHA256 (gnupg-1.4.7.tar.bz2) = 69d18b7d193f62ca27ed4febcb4c9044aa0c95305d3258fe902e2fae5fc6468d
+SIZE (gnupg-1.4.7.tar.bz2) = 3200642
+MD5 (gnupg-1.4.7.tar.bz2.sig) = 5430887043170806eb93f018e4236972
+SHA1 (gnupg-1.4.7.tar.bz2.sig) = a6db75da64c4e23b687147aa7d01f2085b2cf861
+RMD160 (gnupg-1.4.7.tar.bz2.sig) = 102323c28a41a7a2fcc479fc06ba98137e037baa
+SHA256 (gnupg-1.4.7.tar.bz2.sig) = e730e980840d3b97220e4393539de67c7647d9e9eac9d22f11f24ba7e874c18c
+SIZE (gnupg-1.4.7.tar.bz2.sig) = 158
+MD5 (gnupg-1.4.7.tar.bz2.sig) = 5430887043170806eb93f018e4236972
+SHA1 (gnupg-1.4.7.tar.bz2.sig) = a6db75da64c4e23b687147aa7d01f2085b2cf861
+RMD160 (gnupg-1.4.7.tar.bz2.sig) = 102323c28a41a7a2fcc479fc06ba98137e037baa
+SHA256 (gnupg-1.4.7.tar.bz2.sig) = e730e980840d3b97220e4393539de67c7647d9e9eac9d22f11f24ba7e874c18c
+SIZE (gnupg-1.4.7.tar.bz2.sig) = 158
cvs server: Diffing files
Index: files/patch-configure
===================================================================
RCS file: /home/ncvs/ports/security/gnupg1/files/Attic/patch-configure,v
retrieving revision 1.5
diff -u -r1.5 patch-configure
--- files/patch-configure	9 Dec 2006 08:36:48 -0000	1.5
+++ files/patch-configure	6 Mar 2007 13:37:01 -0000
@@ -1,10 +0,0 @@
---- configure.orig	Fri Dec  8 17:02:30 2006
-+++ configure	Fri Dec  8 17:02:52 2006
-@@ -27251,6 +27251,7 @@
- exec_prefix=$exec_prefix
- libdir=$libdir
- libexecdir=$libexecdir
-+datarootdir=$datarootdir
- datadir=$datadir
- DATADIRNAME=$DATADIRNAME
- 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iJ0EARECAF0FAkXtbrhWGGh0dHA6Ly9rZXlzZXJ2ZXIua2pzbC5jb206MTEzNzEv
cGtzL2xvb2t1cD9vcD1nZXQmc2VhcmNoPTB4RDM5REEwRTMmd2VoYXZleW91bm93
PXRydWUACgkQSypIl9OdoONZUACfd2ARkTa8DfHpv5KBB9ChsjS4+2MAnRtnE+Pp
Si4VLT2w5MWdacZlJz02
=0fyV
-----END PGP SIGNATURE-----
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->kuriyama 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Tue Mar 6 13:50:37 UTC 2007 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=109992 
State-Changed-From-To: open->closed 
State-Changed-By: kuriyama 
State-Changed-When: Tue Mar 6 13:58:45 UTC 2007 
State-Changed-Why:  
Thanks, but I've already committed. :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=109992 
>Unformatted:
