Comment 1 Carlos J. Puga Medina 2016-02-11 13:45:34 UTC

patch-cipher_Makefile.in was re-added to fix bug 207042.

Comment 2 Jason Unovitch 2016-02-13 22:59:08 UTC

1. When we re-add a file we deleted before it would be copied in a manner similar to re-adding a deleted port [1].  Just copy it from just before the revision it was deleted (your commit r408514)

svn cp 'svn+ssh://repo.freebsd.org/ports/head/security/libgcrypt/files/patch-cipher-Makefile.in@408513' files/patch-cipher_Makefile.in

M       Makefile
M       distinfo
A  +    files/patch-cipher_Makefile.in
M       pkg-plist

[1] https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#ports-qa-re-adding

2. I noticed the patch had the key words 'svn:keywords FreeBSD=%H' in the diff.  This is what expands the $FreeBSD$ in Makefiles but not needed on patches.  The auto-props.txt file described in "5.3.7. Adding and Removing Files" of the subversion primer shows where the ports specific auto-prop file is located and describes how to configure it.

[2] https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/committers-guide/subversion-primer.html

3. Given the "Mitigate side-channel attack on ECDH with Weierstrass curves [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for details.", we'll need to add a VuXML entry here to and MFH the batch of changes when we're done.  Take a look at the Porter's Handbook on VuXML [3] and the "QUICK GUIDE TO ADDING A NEW ENTRY" in the security/vuxml/vuln.xml file.  Take a go at the entry and add the patch for the PR for review.

[3] https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/security-notify.html

Thanks!

Comment 3 Carlos J. Puga Medina 2016-02-15 23:19:08 UTC

Created attachment 167055 [details]
v1

Comment 4 Jason Unovitch 2016-02-16 01:03:11 UTC

(In reply to Carlos J. Puga Medina from comment #3)
Can you add a patch for security/vuxml/vuln.xml for the CVE-2015-7511 comment mentioned in 3 above?

Comment 5 Jason Unovitch 2016-02-16 01:04:30 UTC

(In reply to Carlos J. Puga Medina from comment #3)
Your `svn status` in your local repo should show:
M       Makefile
M       distinfo
A  +    files/patch-cipher_Makefile.in
D       files/patch-cipher_salsa20.c
M       pkg-plist

The 'A  +' reflects the restoration of the previous files/patch-cipher_Makefile.in from before.

Comment 6 Carlos J. Puga Medina 2016-02-16 01:34:58 UTC

(In reply to Jason Unovitch from comment #4)

Sure! I'm on it.

Comment 7 Carlos J. Puga Medina 2016-02-16 02:13:45 UTC

Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml	(revision 408968)
+++ security/vuxml/vuln.xml	(working copy)
@@ -57,6 +57,32 @@
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="95b92e3b-d451-11e5-9794-e8e0b747a45a">
+    <topic>libgcrypt -- side-channel attack on ECDH</topic>
+    <affects>
+      <package>
+	<name>libgcrypt</name>
+	<range><lt>1.6.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>GnuPG reports:</p>
+	<blockquote cite="https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html">
+	  <p>Mitigate side-channel attack on ECDH with Weierstrass curves.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2015-7511</cvename>
+      <url>https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html</url>
+    </references>
+    <dates>
+      <discovery>2016-02-09</discovery>
+      <entry>2016-02-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="f1bf28c5-d447-11e5-b2bd-002590263bf5">
     <topic>xdelta3 -- buffer overflow vulnerability</topic>
     <affects>

Comment 8 Carlos J. Puga Medina 2016-02-16 02:15:15 UTC

(In reply to Jason Unovitch from comment #5)

`svn status` output:
M       security/libgcrypt/Makefile
M       security/libgcrypt/distinfo
A  +    security/libgcrypt/files/patch-cipher-Makefile.in
D       security/libgcrypt/files/patch-cipher_salsa20.c
M       security/libgcrypt/pkg-plist
M       security/vuxml/vuln.xml

Comment 9 Carlos J. Puga Medina 2016-02-16 02:19:21 UTC

Poudriere testports build fine on 9.3a, 9.3i, 10.2a and 10.2i.

Comment 10 Jason Unovitch 2016-02-16 02:27:04 UTC

(In reply to Carlos J. Puga Medina from comment #7)

It's less than for the <lt> tags, so it must be 1.6.5 between the tags.  I can confirm `make validate` passes and the content other than the version is good.  Approved once the version is fixed.

VuXML would be approved with something like this:

Document libgcrypt side-channel attach on ECDH

PR:		207107
Security:	CVE-2015-7511
Security:	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html

Comment 11 Carlos J. Puga Medina 2016-02-16 02:29:09 UTC

(In reply to Jason Unovitch from comment #10)

Oops! Thanks for your review, Jason :)

Comment 12 Jason Unovitch 2016-02-16 02:30:07 UTC

(In reply to Carlos J. Puga Medina from comment #9)

Builds are good.

Portlint is good.

Runtime from Tobias in bug 207042 comment 8 is good.

If your SVN status reflects the comment 8 here then this is approved.  Please use the commit message we agreed upon in the earlier email and fill out the VuXML URL reference like shown in comment 10.

Comment 13 Jason Unovitch 2016-02-16 02:31:04 UTC

(In reply to Jason Unovitch from comment #10)

"attach" to "attack".  Sorry about the spelling in the example.

Comment 14 commit-hook 2016-02-16 02:40:47 UTC

A commit references this bug:

Author: cpm
Date: Tue Feb 16 02:40:27 UTC 2016
New revision: 408971
URL: https://svnweb.freebsd.org/changeset/ports/408971

Log:
  Document libgcrypt side-channel attack on ECDH

  PR:		207107
  Security:	CVE-2015-7511
  Security:	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html

Changes:
  head/security/vuxml/vuln.xml

Comment 15 commit-hook 2016-02-16 02:53:49 UTC

A commit references this bug:

Author: cpm
Date: Tue Feb 16 02:52:56 UTC 2016
New revision: 408972
URL: https://svnweb.freebsd.org/changeset/ports/408972

Log:
  - Update libgcrypt to 1.6.5
  - Change LICENSE since support has been added for "or later" variants of GNU licenses.
  - Remove needless patch-cipher_salsa20.c

  Changes:
    https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html

  PR:		207107
  Approved by:	junovitch (mentor)

Changes:
  head/security/libgcrypt/Makefile
  head/security/libgcrypt/distinfo
  head/security/libgcrypt/files/patch-cipher-Makefile.in
  head/security/libgcrypt/files/patch-cipher_salsa20.c
  head/security/libgcrypt/pkg-plist

Comment 16 Jason Unovitch 2016-02-16 03:13:56 UTC

Open and set merge-quarterly? until the MFH approval is done.

Comment 17 commit-hook 2016-02-16 13:29:46 UTC

A commit references this bug:

Author: cpm
Date: Tue Feb 16 13:29:13 UTC 2016
New revision: 408993
URL: https://svnweb.freebsd.org/changeset/ports/408993

Log:
  MFH: r408972

  - Update libgcrypt to 1.6.5
  - Change LICENSE since support has been added for "or later" variants of GNU licenses.
  - Remove needless patch-cipher_salsa20.c

  Changes:
    https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html

  PR:		207107
  Approved by:	junovitch (mentor)

  Security: 	CVE-2015-7511
  Security: 	https://vuxml.FreeBSD.org/freebsd/95b92e3b-d451-11e5-9794-e8e0b747a45a.html
  Approved by:	ports-secteam (eadler)

Changes:
_U  branches/2016Q1/
  branches/2016Q1/security/libgcrypt/Makefile
  branches/2016Q1/security/libgcrypt/distinfo
  branches/2016Q1/security/libgcrypt/files/patch-cipher-Makefile.in
  branches/2016Q1/security/libgcrypt/files/patch-cipher_salsa20.c
  branches/2016Q1/security/libgcrypt/pkg-plist