gnupg: add patch disallowing compressed signatures and certificates

[stigtsp]

Description of changes

Adds a patch by Demi Marie Obenour that disallows compressed signatures and certificates to prevent DoS attacks.

https://seclists.org/oss-sec/2022/q3/9
https://seclists.org/oss-sec/2022/q3/27

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[vcunat]

This patch broke tests of gpgme and thus many builds.

EDIT: the log is a little messy, so let me post the relevant part:

t-verify:310: Double plaintext message not detected
FAIL: t-verify

[stigtsp]

This patch broke tests of gpgme and thus many builds.

Ok, would need to look into the test and see if it can be skipped. Unfortunately, I can't work on this today :-/

[vcunat]

So, it seems very likely that it's the test's fault, not an oversight in the patch?

[stigtsp]

Yes, i believe so. Have confirmed that the patch fixes the problem described by the author, i.e. rejecting the problematic signature.

[vcunat]

OK, for now: db6b3e0

[vcunat]

Eww, with 1fc7604

[stigtsp]

Hi @DemiMarie! Thx for posting about the recent issues with GnuPG on oss-sec.

Just CCing you on this issue as the patch seems to break tests in gpgme, in case you have any advice if 1fc7604 is reasonable.

[DemiMarie]

Hi @DemiMarie! Thx for posting about the recent issues with GnuPG on oss-sec.

You’re welcome! I should probably fix the cleartext signature case at some point too.

Just CCing you on this issue as the patch seems to break tests in gpgme, in case you have any advice if 1fc7604 is reasonable.

It does look reasonable, but for a security patch a better approach might be to use BAD_DATA instead of UNEXPECTED elsewhere in the code.

[vcunat]

• Another gpgme test regressed on i686-linux (only, so probably not important):

********* Start testing of AddExistingSubkeyJobTest *********
Config: Using QtTest library 5.15.3, Qt 5.15.3 (i386-little_endian-ilp32 shared (dynamic) release build; by GCC 10.4.0), unknown unknown
PASS   : AddExistingSubkeyJobTest::initTestCase()
PASS   : AddExistingSubkeyJobTest::testAddExistingSubkeyAsync()
PASS   : AddExistingSubkeyJobTest::testAddExistingSubkeySync()
FAIL!  : AddExistingSubkeyJobTest::testAddExistingSubkeyWithExpiration() 'result.code() == GPG_ERR_NO_ERROR' returned FALSE. ()
   Loc: [t-addexistingsubkey.cpp(216)]
PASS   : AddExistingSubkeyJobTest::cleanupTestCase()
Totals: 4 passed, 1 failed, 0 skipped, 0 blacklisted, 2058ms
********* Finished testing of AddExistingSubkeyJobTest *********
QTemporaryDir: Unable to remove "/build/t-addexistingsubkey-jLOarG" most likely due to the presence of read-only files.
FAIL: t-addexistingsubkey

https://hydra.nixos.org/log/s58rncd0idgzh5pmk8f6myb83fj471ww-gpgme-1.17.1.drv