Handle modern keyserver output which may emit the fingerprint.

* src/engine-gpg.c (read_colon_line): Split preprocessed lines.
(gpg_keylist_preprocess): Limit keyid field and print fingerprint.

NEWS

@@ -1,5 +1,20 @@
-Noteworthy changes in version 1.4.3 (2013-08-12)
+Noteworthy changes in version 1.4.4 (2014-07-30) [C22/A11/R1]
-------------------------------------------------
+-------------------------------------------------------------
+
+ Backported from 1.5.1:
+
+ * Fixed possible overflow in gpgsm and uiserver engines.
+   [CVE-2014-3564]
+
+ * Fixed possibled segv in gpgme_op_card_edit.
+
+ * Fixed minor memleaks and possible zombie processes.
+
+ * Fixed prototype inconsistencies and void pointer arithmetic.
+
+
+Noteworthy changes in version 1.4.3 (2013-08-12) [C22/A11/R0]
+-------------------------------------------------------------
 
  * The default engine names are now taken from the output of gpgconf.
    If gpgconf is not found the use of gpg 1 is assumed.

configure.ac

@@ -29,7 +29,7 @@ min_automake_version="1.11"
 # for the LT versions.
 m4_define(mym4_version_major, [1])
 m4_define(mym4_version_minor, [4])
-m4_define(mym4_version_micro, [3])
+m4_define(mym4_version_micro, [4])
 
 # Below is m4 magic to extract and compute the revision number, the
 # decimalized short revision number, a beta version string, and a flag
@@ -59,7 +59,7 @@ LIBGPGME_LT_CURRENT=22
 # Subtract 2 from this value if you want to make the LFS transition an
 # ABI break.  [Note to self: Remove this comment with the next regular break.]
 LIBGPGME_LT_AGE=11
-LIBGPGME_LT_REVISION=0
+LIBGPGME_LT_REVISION=1
 
 # If the API is changed in an incompatible way: increment the next counter.
 GPGME_CONFIG_API_VERSION=1

src/edit.c

@@ -143,7 +143,7 @@ gpgme_op_edit_start (gpgme_ctx_t ctx, gpgme_key_t key,
 
   TRACE_BEG5 (DEBUG_CTX, "gpgme_op_edit_start", ctx,
 	      "key=%p (%s), fnc=%p fnc_value=%p, out=%p", key,
-	      (key->subkeys && key->subkeys->fpr) ?
+	      (key && key->subkeys && key->subkeys->fpr) ?
 	      key->subkeys->fpr : "invalid", fnc, fnc_value, out);
 
   if (!ctx)
@@ -164,7 +164,7 @@ gpgme_op_edit (gpgme_ctx_t ctx, gpgme_key_t key,
 
   TRACE_BEG5 (DEBUG_CTX, "gpgme_op_edit", ctx,
 	      "key=%p (%s), fnc=%p fnc_value=%p, out=%p", key,
-	      (key->subkeys && key->subkeys->fpr) ?
+	      (key && key->subkeys && key->subkeys->fpr) ?
 	      key->subkeys->fpr : "invalid", fnc, fnc_value, out);
 
   if (!ctx)
@@ -187,7 +187,7 @@ gpgme_op_card_edit_start (gpgme_ctx_t ctx, gpgme_key_t key,
 
   TRACE_BEG5 (DEBUG_CTX, "gpgme_op_card_edit_start", ctx,
 	      "key=%p (%s), fnc=%p fnc_value=%p, out=%p", key,
-	      (key->subkeys && key->subkeys->fpr) ?
+	      (key && key->subkeys && key->subkeys->fpr) ?
 	      key->subkeys->fpr : "invalid", fnc, fnc_value, out);
 
   if (!ctx)
@@ -208,7 +208,7 @@ gpgme_op_card_edit (gpgme_ctx_t ctx, gpgme_key_t key,
 
   TRACE_BEG5 (DEBUG_CTX, "gpgme_op_card_edit", ctx,
 	      "key=%p (%s), fnc=%p fnc_value=%p, out=%p", key,
-	      (key->subkeys && key->subkeys->fpr) ?
+	      (key && key->subkeys && key->subkeys->fpr) ?
 	      key->subkeys->fpr : "invalid", fnc, fnc_value, out);
 
   if (!ctx)

src/engine-gpg.c

@@ -896,6 +896,10 @@ build_argv (engine_gpg_t gpg)
 					       close_notify_handler,
 					       gpg))
 	      {
+                /* We leak fd_data_map and the fds.  This is not easy
+                   to avoid and given that we reach this here only
+                   after a malloc failure for a small object, it is
+                   probably better not to do anything.  */
 		return gpg_error (GPG_ERR_GENERAL);
 	      }
 	    /* If the data_type is FD, we have to do a dup2 here.  */
@@ -1233,10 +1237,26 @@ read_colon_line (engine_gpg_t gpg)
 		    }
 
 		  assert (gpg->colon.fnc);
-		  gpg->colon.fnc (gpg->colon.fnc_value, line ? line : buffer);
+                  if (line)
-		  if (line)
+                    {
-		    free (line);
+                      char *linep = line;
-		}
+                      char *endp;
+
+                      do
+                        {
+                          endp = strchr (linep, '\n');
+                          if (endp)
+                            *endp++ = 0;
+                          gpg->colon.fnc (gpg->colon.fnc_value, linep);
+                          linep = endp;
+                        }
+                      while (linep && *linep);
+
+                      free (line);
+                    }
+                  else
+                    gpg->colon.fnc (gpg->colon.fnc_value, buffer);
+                }
 
 	      /* To reuse the buffer for the next line we have to
 		 shift the remaining data to the buffer start and
@@ -2055,6 +2075,7 @@ gpg_keylist_preprocess (char *line, char **r_line)
 #define NR_FIELDS 16
   char *field[NR_FIELDS];
   int fields = 0;
+  size_t n;
 
   *r_line = NULL;
 
@@ -2090,16 +2111,34 @@ gpg_keylist_preprocess (char *line, char **r_line)
 	 pub:<keyid>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>
 
 	 as defined in 5.2. Machine Readable Indexes of the OpenPGP
-	 HTTP Keyserver Protocol (draft).
+	 HTTP Keyserver Protocol (draft).  Modern versions of the SKS
+	 keyserver return the fingerprint instead of the keyid.  We
+	 detect this here and use the v4 fingerprint format to convert
+	 it to a key id.
 
 	 We want:
 	 pub:o<flags>:<keylen>:<algo>:<keyid>:<creatdate>:<expdate>::::::::
       */
 
-      if (asprintf (r_line, "pub:o%s:%s:%s:%s:%s:%s::::::::",
+      n = strlen (field[1]);
-		    field[6], field[3], field[2], field[1],
+      if (n > 16)
-		    field[4], field[5]) < 0)
+        {
-	return gpg_error_from_syserror ();
+          if (asprintf (r_line,
+                        "pub:o%s:%s:%s:%s:%s:%s::::::::\n"
+                        "fpr:::::::::%s:",
+                        field[6], field[3], field[2], field[1] + n - 16,
+                        field[4], field[5], field[1]) < 0)
+            return gpg_error_from_syserror ();
+        }
+      else
+        {
+          if (asprintf (r_line,
+                        "pub:o%s:%s:%s:%s:%s:%s::::::::",
+                        field[6], field[3], field[2], field[1],
+                        field[4], field[5]) < 0)
+            return gpg_error_from_syserror ();
+        }
+
       return 0;
 
     case RT_UID:

src/engine-gpgsm.c

@@ -837,7 +837,7 @@ status_handler (void *opaque, int fd)
 	      else
 		{
 		  *aline = newline;
-		  gpgsm->colon.attic.linesize += linelen + 1;
+		  gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
 		}
 	    }
 	  if (!err)

src/engine-uiserver.c

@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
 	      else
 		{
 		  *aline = newline;
-		  uiserver->colon.attic.linesize += linelen + 1;
+		  uiserver->colon.attic.linesize = *alinelen + linelen + 1;
 		}
 	    }
 	  if (!err)

src/gpgme.c

@@ -357,7 +357,7 @@ gpgme_set_sub_protocol (gpgme_ctx_t ctx, gpgme_protocol_t protocol)
 }
 
 
-gpgme_error_t
+gpgme_protocol_t
 gpgme_get_sub_protocol (gpgme_ctx_t ctx)
 {
   TRACE2 (DEBUG_CTX, "gpgme_get_sub_protocol", ctx,
@@ -514,7 +514,7 @@ gpgme_get_keylist_mode (gpgme_ctx_t ctx)
 
 /* Set the pinentry mode for CTX to MODE. */
 gpgme_error_t
-gpgme_set_pinentry_mode (gpgme_ctx_t ctx, gpgme_keylist_mode_t mode)
+gpgme_set_pinentry_mode (gpgme_ctx_t ctx, gpgme_pinentry_mode_t mode)
 {
   TRACE1 (DEBUG_CTX, "gpgme_set_pinentry_mode", ctx, "pinentry_mode=%u",
 	  (unsigned int)mode);
@@ -678,8 +678,9 @@ gpgme_io_write (int fd, const void *buffer, size_t count)
    written or an error is return.  Returns: 0 on success or -1 on
    error and the sets errno. */
 int
-gpgme_io_writen (int fd, const void *buffer, size_t count)
+gpgme_io_writen (int fd, const void *buffer_arg, size_t count)
 {
+  const char *buffer = buffer_arg;
   int ret = 0;
   TRACE_BEG2 (DEBUG_GLOBAL, "gpgme_io_writen", fd,
 	      "buffer=%p, count=%u", buffer, count);

src/posix-io.c

@@ -340,10 +340,15 @@ int
 _gpgme_io_waitpid (int pid, int hang, int *r_status, int *r_signal)
 {
   int status;
+  pid_t ret;
 
   *r_status = 0;
   *r_signal = 0;
-  if (_gpgme_ath_waitpid (pid, &status, hang? 0 : WNOHANG) == pid)
+  do
+    ret = _gpgme_ath_waitpid (pid, &status, hang? 0 : WNOHANG);
+  while (ret == (pid_t)(-1) && errno == EINTR);
+
+  if (ret == pid)
     {
       if (WIFSIGNALED (status))
 	{
@@ -714,7 +719,11 @@ _gpgme_io_sendmsg (int fd, const struct msghdr *msg, int flags)
 int
 _gpgme_io_dup (int fd)
 {
-  int new_fd = dup (fd);
+  int new_fd;
+
+  do
+    new_fd = dup (fd);
+  while (new_fd == -1 && errno == EINTR);
 
   TRACE1 (DEBUG_SYSIO, "_gpgme_io_dup", fd, "new fd==%i", new_fd);
 
@@ -744,7 +753,9 @@ _gpgme_io_connect (int fd, struct sockaddr *addr, int addrlen)
   TRACE_BEG2 (DEBUG_SYSIO, "_gpgme_io_connect", fd,
 	      "addr=%p, addrlen=%i", addr, addrlen);
 
-  res = ath_connect (fd, addr, addrlen);
+  do
+    res = ath_connect (fd, addr, addrlen);
+  while (res == -1 && errno == EINTR);
 
   return TRACE_SYSRES (res);
 }

src/w32-io.c

@@ -425,6 +425,7 @@ create_reader (int fd)
   if (fd < 0 || fd >= MAX_SLAFD || !fd_table[fd].used)
     {
       TRACE_SYSERR (EIO);
+      free (ctx);
       return NULL;
     }
   TRACE_LOG4 ("fd=%d -> handle=%p socket=%d dupfrom=%d",
@@ -794,6 +795,7 @@ create_writer (int fd)
   if (fd < 0 || fd >= MAX_SLAFD || !fd_table[fd].used)
     {
       TRACE_SYSERR (EIO);
+      free (ctx);
       return NULL;
     }
   TRACE_LOG4 ("fd=%d -> handle=%p socket=%d dupfrom=%d",

src/w32-util.c

@@ -660,7 +660,10 @@ _gpgme_mkstemp (int *fd, char **name)
   strcpy (stpcpy (tmpname, tmp), "\\gpgme-XXXXXX");
   *fd = mkstemp (tmpname);
   if (fd < 0)
-    return -1;
+    {
+      free (tmpname);
+      return -1;
+    }
 
   *name = tmpname;
   return 0;