ed8a3a076d
What's New
===========
* Fixed possible infinite recursion in the compressed packet
parser. [CVE-2013-4402]
* Protect against rogue keyservers sending secret keys.
* Use 2048 bit also as default for batch key generation.
* Minor bug fixes.
Impact of the security problem
==============================
Special crafted input data may be used to cause a denial of service
against GPG (GnuPG's OpenPGP part) and some other OpenPGP
implementations. All systems using GPG to process incoming data are
affected.
Taylor R. Campbell invented a neat trick to generate OpenPGP packages
to force GPG to recursively parse certain parts of OpenPGP messages ad
infinitum. As a workaround a tight "ulimit -v" setting may be used to
mitigate the problem. Sample input data to trigger this problem has
not yet been seen in the wild. Details of the attack will eventually
be published by its inventor.
A fixed release of the GnuPG 2.0 series has also been released.
Signed-off-by: Jack Nagel <jacknagel@gmail.com>
30 lines
892 B
Ruby
30 lines
892 B
Ruby
require 'formula'
|
|
|
|
class Gnupg < Formula
|
|
homepage 'http://www.gnupg.org/'
|
|
url 'ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.15.tar.bz2'
|
|
sha1 '63ebf0ab375150903c65738070e4105200197fd4'
|
|
|
|
option '8192', 'Build with support for private keys of up to 8192 bits'
|
|
|
|
def cflags
|
|
cflags = ENV.cflags.to_s
|
|
cflags += ' -std=gnu89 -fheinous-gnu-extensions' if ENV.compiler == :clang
|
|
cflags
|
|
end
|
|
|
|
def install
|
|
inreplace 'g10/keygen.c', 'max=4096', 'max=8192' if build.include? '8192'
|
|
|
|
system "./configure", "--disable-dependency-tracking",
|
|
"--prefix=#{prefix}",
|
|
"--disable-asm"
|
|
system "make", "CFLAGS=#{cflags}"
|
|
system "make check"
|
|
|
|
# we need to create these directories because the install target has the
|
|
# dependency order wrong
|
|
[bin, libexec/'gnupg'].each(&:mkpath)
|
|
system "make install"
|
|
end
|
|
end
|