diff --git a/files/security/cve-2018-12356.patch b/files/security/cve-2018-12356.patch deleted file mode 100644 --- a/files/security/cve-2018-12356.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 8683403b77f59c56fcb1f05c61ab33b9fd61a30d Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" -Date: Thu, 14 Jun 2018 15:05:53 +0200 -Subject: Ensure signature regexes are anchored - -Fixes CVE-2018-12356. - -Reported-by: Marcus Brinkmann ---- - src/password-store.sh | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/password-store.sh b/src/password-store.sh -index 19b3124..b852d06 100755 ---- a/src/password-store.sh -+++ b/src/password-store.sh -@@ -1,6 +1,6 @@ - #!/usr/bin/env bash - --# Copyright (C) 2012 - 2017 Jason A. Donenfeld . All Rights Reserved. -+# Copyright (C) 2012 - 2018 Jason A. Donenfeld . All Rights Reserved. - # This file is licensed under the GPLv2+. Please see COPYING for more information. - - umask "${PASSWORD_STORE_UMASK:-077}" -@@ -58,7 +58,7 @@ die() { - verify_file() { - [[ -n $PASSWORD_STORE_SIGNING_KEY ]] || return 0 - [[ -f $1.sig ]] || die "Signature for $1 does not exist." -- local fingerprints="$($GPG $PASSWORD_STORE_GPG_OPTS --verify --status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/\[GNUPG:\] VALIDSIG \([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')" -+ local fingerprints="$($GPG $PASSWORD_STORE_GPG_OPTS --verify --status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG \([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')" - local fingerprint found=0 - for fingerprint in $PASSWORD_STORE_SIGNING_KEY; do - [[ $fingerprint =~ ^[A-F0-9]{40}$ ]] || continue -@@ -123,7 +123,7 @@ reencrypt_path() { - IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190 - unset "GPG_RECIPIENTS[$index]" - done -- gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" -+ gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" - fi - current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)" - -@@ -334,7 +334,7 @@ cmd_init() { - signing_keys+=( --default-key $key ) - done - $GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign .gpg_id." -- key="$($GPG --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')" -+ key="$($GPG --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')" - [[ -n $key ]] || die "Signing of .gpg_id unsuccessful." - git_add_file "$gpg_id.sig" "Signing new GPG id with ${key//[$IFS]/,}." - fi --- -cgit v1.1-37-gf5b9 diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,8 +1,8 @@ name : password-store -version : 1.7.1 -release : 8 +version : 1.7.2 +release : 9 source : - - https://git.zx2c4.com/password-store/snapshot/password-store-1.7.1.tar.xz : f6d2199593398aaefeaa55e21daddfb7f1073e9e096af6d887126141e99d9869 + - https://git.zx2c4.com/password-store/snapshot/password-store-1.7.2.tar.xz : 4768c5e1965c4d2aeb28818681e484fb105b6f46cbd75a97608615c4ec6980ea license : GPL-2.0 component : security summary : Stores, retrieves, generates, and synchronizes passwords securely. @@ -13,8 +13,6 @@ - gnupg - tree - xclip -setup : | - %patch -p1 < $pkgfiles/security/cve-2018-12356.patch install : | %make_install WITH_BASHCOMP=yes WITH_ZSHCOMP=yes WITH_FISHCOMP=yes install -Dm00755 $installdir/usr/bin/pass $installdir/usr/bin/password-store diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -2,8 +2,8 @@ password-store - Peter O'Connor - peter@solus-project.com + Justin Berthault + justin.berthault@zaclys.net GPL-2.0 security @@ -19,24 +19,27 @@ security - /usr/bin + /usr/bin/pass + /usr/bin/passmenu + /usr/bin/password-store /usr/lib/password-store/extensions /usr/share/bash-completion/completions/pass /usr/share/bash-completion/completions/password-store /usr/share/fish/vendor_completions.d/pass.fish /usr/share/fish/vendor_completions.d/password-store.fish - /usr/share/man + /usr/share/man/man1/pass.1 + /usr/share/man/man1/password-store.1 /usr/share/zsh/site-functions/_pass /usr/share/zsh/site-functions/_password-store - - 2018-06-15 - 1.7.1 + + 2018-06-22 + 1.7.2 Packaging update - Peter O'Connor - peter@solus-project.com + Justin Berthault + justin.berthault@zaclys.net \ No newline at end of file