Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to github.com/mtrmac/gpgme v0.1.2 #827

Merged
merged 3 commits into from
Feb 21, 2020
Merged

Update to github.com/mtrmac/gpgme v0.1.2 #827

merged 3 commits into from
Feb 21, 2020

Conversation

mtrmac
Copy link
Contributor

@mtrmac mtrmac commented Feb 21, 2020

This fixes CVE-2020-8945 by incorporating proglottis/gpgme#23 .

Other changes included by the rebase:

  • Support for gpgme_off_t (~no-op on Linux)
  • Wrapping a few more GPGME functions (irrelevant if we don't call them)

Given how invasive the CVE fix is (affecting basically all binding code), it seems safer to just update the package (and be verifiably equivalent with upstream) than to backport and try to back out the few other changes.

Performed by updating vendor conf,

$ vndr github.com/mtrmac/gpgme

and manually backing out unrelated deletions of files.

mtrmac and others added 3 commits February 21, 2020 14:21
@mtrmac
Update to github.com/mtrmac/gpgme v0.1.2
29835bb 
This fixes CVE-2020-8945 by incorporating proglottis/gpgme#23 .

Other changes included by the rebase:
- Support for gpgme_off_t (~no-op on Linux)
- Wrapping a few more GPGME functions (irrelevant if we don't call them)

Given how invasive the CVE fix is (affecting basically all binding
code), it seems safer to just update the package (and be verifiably
equivalent with upstream) than to backport and try to back out the few
other changes.

Performed by updating vendor conf,
$ vndr github.com/mtrmac/gpgme
and manually backing out unrelated deletions of files.

Signed-off-by: Miloslav Trmač <[email protected]>
@giuseppe @mtrmac
Dockerfile: use golang-github-cpuguy83-go-md2man
77d5469 
the package was renamed on Fedora 31.

Signed-off-by: Giuseppe Scrivano <[email protected]>
@mtrmac
Explicitly disable encrypting test GPG keys
25629ee 
Since GPG 2.1, GPG asks for a passphrase by default; opt out when
generating test keys to avoid
> gpg: agent_genkey failed: No pinentry
> gpg: key generation failed: No pinentry
which happens otherwise (and we can't use an interactive pinentry
in a batch process anyway).

Signed-off-by: Miloslav Trmač <[email protected]>
@TomSweeneyRedHat
Copy link
Member

LGTM

@mtrmac
Copy link
Contributor Author

mtrmac commented Feb 21, 2020

NOTE: This backports test suite changes necessary for recent Fedoras, which may be inappropriate for the RHEL target.

@rhatdan rhatdan merged commit e5c9d57 into containers:release-0.1.32-rhel Feb 21, 2020
@mtrmac mtrmac deleted the gpgme-update-0.1.32 branch February 21, 2020 16:38
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mtrmac @TomSweeneyRedHat @rhatdan @giuseppe