Update to 2.3.4

2022-01-10 09:45:34 +08:00 · 2022-01-10 09:45:34 +08:00 · d350b7a0af
commit d350b7a0af
parent 0d09278687
8 changed files with 369 additions and 349 deletions
--- a/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+++ b/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
@ -43,10 +43,11 @@ index 5d3162c..f9acf95 100644
   if (screener && screener (keyblock, screener_arg))
     {
       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
+@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,
 	  }
     }
 -  /* Delete invalid parts and bail out if there are no user ids left.  */
 -  if (!delete_inv_parts (ctrl, keyblock, keyid, options))
 -    {
 -      if (!silent)
--- a/gnupg-2.2.20-file-is-digest.patch
+++ b/gnupg-2.2.20-file-is-digest.patch
@ -10,25 +10,25 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
     oGroup,
     oUnGroup,
@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_s (oPersonalCompressPreferences,
+   ARGPARSE_s_s (oTempDir,  "temp-directory", "@"),
-                                          "personal-compress-preferences", "@"),
+   ARGPARSE_s_s (oExecPath, "exec-path", "@"),
-   ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
+   ARGPARSE_s_n (oExpert,      "expert", "@"),
 +  ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
-   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
+   ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
-   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
+   ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
-   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
+   ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
     opt.keyid_format = KF_NONE;
     opt.def_sig_expire = "0";
     opt.def_cert_expire = "0";
 +    opt.file_is_digest = 0;
     gnupg_set_homedir (NULL);
     opt.passphrase_repeat = 1;
     opt.emit_version = 0;
     opt.weak_digests = NULL;
@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
 	    break;
 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
 	  case oForceAEAD: opt.force_aead = 1; break;
 +	  case oFileIsDigest: opt.file_is_digest = 1; break;
           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
@ -56,24 +56,41 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 #include "../common/compliance.h"
@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
-       if (duration || opt.sig_policy_url
+ 
-           || opt.sig_notations || opt.sig_keyserver_url)
+       if (pk->version >= 5)
-         sig->version = 4;
+         sig->version = 5;  /* Required for v5 keys.  */
 +      else if (opt.file_is_digest)
 +        sig->version = 3;
       else
-         sig->version = pk->version;
+         sig->version = 4;  /* Required.  */
-@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
+@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl,
-         }
+       if (gcry_md_copy (&md, hash))
-       else
+         BUG ();
-         err = 0;  /* Actually never reached.  */
+ 
-      hash_sigversion_to_magic (md, sig);
+-      build_sig_subpkt_from_sig (sig, pk);
 -      mk_notation_policy_etc (ctrl, sig, NULL, pk);
 -      if (opt.flags.include_key_block && IS_SIG (sig))
 -        err = mk_sig_subpkt_key_block (ctrl, sig, pk);
 -      else
 -        err = 0;
 -      hash_sigversion_to_magic (md, sig, extrahash);
 -      gcry_md_final (md);
 +      if (!opt.file_is_digest)
 +        {
 +          build_sig_subpkt_from_sig (sig, pk);
 +          mk_notation_policy_etc (ctrl, sig, NULL, pk);
 +          if (opt.flags.include_key_block && IS_SIG (sig))
 +            err = mk_sig_subpkt_key_block (ctrl, sig, pk);
 +          else
 +            err = 0;
 +
-+      if (!opt.file_is_digest) {
+          hash_sigversion_to_magic (md, sig, extrahash);
 +        hash_sigversion_to_magic (md, sig);
 +          gcry_md_final (md);
 +        }
 +      else if (sig->version >= 4)
 +        {
 +          log_bug("file-is-digest doesn't work with v4 sigs\n");
 +        }
       if (!err)
@ -84,9 +101,9 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
   u32 duration=0;
 +  int sigclass = 0x00;
 +  u32 timestamp = 0;
   pt_extra_hash_data_t extrahash = NULL;
   pfx = new_progress_context ();
     afx = new_armor_context ();
@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
     fname = NULL;
@ -108,12 +125,12 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
     goto leave;
-     /* prepare iobufs */
+   /* Prepare iobufs. */
 -  if (multifile)    /* have list of filenames */
 +  if (multifile || opt.file_is_digest)  /* have list of filenames */
     inp = NULL;     /* we do it later */
-     else {
+   else
-       inp = iobuf_open(fname);
+     {
@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
   for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
     gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
@ -130,13 +147,14 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 +  sigclass = opt.textmode && !outfile? 0x01 : 0x00;
 +
   /* Setup the inner packet. */
-     if( detached ) {
+   if (detached)
- 	if( multifile ) {
+     {
-@@ -1195,6 +1214,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1195,6 +1214,49 @@ sign_file (ctrl_t ctrl, strlist_t filena
           if (opt.verbose)
             log_printf ("\n");
 	}
-+	else if (opt.file_is_digest) {
+      else if (opt.file_is_digest)
 +        {
 +          byte *mdb, ts[5];
 +          size_t mdlen;
 +          const char *fp;
@ -149,7 +167,8 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 +          if (strlen(fname) != mdlen * 2 + 11)
 +            log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
 +          d = -1;
-+	    for (fp = fname ; *fp; ) {
+          for (fp = fname ; *fp; )
 +            {
 +      	       c = *fp++;
 +      	       if (c >= '0' && c <= '9')
 +      	         c -= '0';
@ -159,10 +178,12 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 +      	         c -= 'A' - 10;
 +      	       else
 +      	         log_bug("filename is not hex\n");
-+		if (d >= 0) {
+      	       if (d >= 0)
 +                {
 +      	           *mdb++ = d << 4 | c;
 +      	           c = -1;
-+		    if (--mdlen == 0) {
+      	           if (--mdlen == 0)
 +                    {
 +      	               mdb = ts;
 +      	               if (*fp++ != '@')
 +      	                 log_bug("missing time separator\n");
@ -175,13 +196,13 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 +            log_bug("bad cipher class\n");
 +          timestamp = buf32_to_u32(ts + 1);
 +        }
- 	else {
+       else
- 	    /* read, so that the filter can calculate the digest */
+         {
- 	    while( iobuf_get(inp) != -1 )
+           /* Read, so that the filter can calculate the digest. */
@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     /* write the signatures */
+   /* Write the signatures. */
-     rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
+   rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,
 -                                opt.textmode && !outfile? 0x01 : 0x00,
 -                                0, duration, detached ? 'D':'S', NULL);
 +                                sigclass,
--- a/gnupg-2.2.21-coverity.patch
+++ b/gnupg-2.2.21-coverity.patch
@ -10,9 +10,93 @@ diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-h
     return my_error_from_syserror ();
   return 0;
 }
-diff -up gnupg-2.2.21/dirmngr/domaininfo.c.coverity gnupg-2.2.21/dirmngr/domaininfo.c
+
--- gnupg-2.2.21/dirmngr/domaininfo.c.coverity	2019-07-09 11:08:45.000000000 +0200
+From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
-+++ gnupg-2.2.21/dirmngr/domaininfo.c	2020-07-20 17:09:57.418148784 +0200
+From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 9 Apr 2021 16:13:07 +0200
 Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks
 * g10/card-util.c (change_pin): free answer on errors
  (ask_card_keyattr): free answer on error
 * g10/cpr.c (do_get_from_fd): free string
 * g10/gpg.c (check_permissions): free dir on weird error
 * g10/import.c (append_new_uid): release knode
 * g10/keyedit.c (menu_set_keyserver_url): free answer
  (menu_set_keyserver_url): free user
 * g10/keygen.c (print_status_key_not_created): move allocation after
  sanity check
  (ask_expire_interval): free answer
  (card_store_key_with_backup): goto leave instaed of return
 * g10/keyserver.c (parse_keyserver_uri): goto fail instead of return
 * g10/revoke.c (gen_desig_revoke): release kdbhd
  (gen_desig_revoke): free answer
 * g10/tofu.c (ask_about_binding): free sqerr and response
 * g10/trustdb.c (ask_ownertrust): free pk
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 g10/card-util.c | 14 +++++++++++---
 g10/cpr.c       |  6 +++++-
 g10/gpg.c       |  1 +
 g10/import.c    |  5 ++++-
 g10/keyedit.c   |  8 +++++++-
 g10/keygen.c    | 15 +++++++++++----
 g10/keyserver.c |  2 +-
 g10/revoke.c    |  6 +++++-
 g10/tofu.c      |  4 ++++
 g10/trustdb.c   |  1 +
 10 files changed, 50 insertions(+), 12 deletions(-)
 diff --git a/g10/card-util.c b/g10/card-util.c
 index 36f096f06..c7df8380d 100644
 --- a/g10/card-util.c
 +++ b/g10/card-util.c
@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin)
   else
     for (;;)
       {
 -	char *answer;
 +	char *answer = NULL;
 	tty_printf ("\n");
 	tty_printf ("1 - change PIN\n"
 diff --git a/g10/tofu.c b/g10/tofu.c
 index f49083844..83786a08d 100644
 --- a/g10/tofu.c
 +++ b/g10/tofu.c
@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl,
          GPGSQL_ARG_END);
       if (rc)
         {
 +          sqlite3_free (sqerr);
 +          sqerr = NULL;
           rc = gpg_error (GPG_ERR_GENERAL);
           break;
         }
 -- 
 2.30.2
 From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 13 Apr 2021 16:23:31 +0200
 Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks
 * dirmngr/domaininfo.c (insert_or_update): free di_new
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 dirmngr/domaininfo.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c
 index b41aef366..87782b4b1 100644
 --- a/dirmngr/domaininfo.c
 +++ b/dirmngr/domaininfo.c
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
           log_error ("domaininfo: error allocating helper array: %s\n",
                      gpg_strerror (gpg_err_code_from_syserror ()));
@ -21,220 +105,93 @@ diff -up gnupg-2.2.21/dirmngr/domaininfo.c.coverity gnupg-2.2.21/dirmngr/domaini
           goto leave;
         }
       narray = 0;
-@@ -258,6 +259,8 @@ insert_or_update (const char *domain,
+-- 
-        * sensible strategy.  */
+2.30.2
       drop_extra = domainbuckets[hash];
       domainbuckets[hash] = keep;
 +
 +      xfree (array);
     }
   /* Insert */
 diff -up gnupg-2.2.21/dirmngr/http.c.coverity gnupg-2.2.21/dirmngr/http.c
 --- gnupg-2.2.21/dirmngr/http.c.coverity	2019-11-18 18:44:33.000000000 +0100
 +++ gnupg-2.2.21/dirmngr/http.c	2020-07-20 17:09:57.419148793 +0200
@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t
       if (!newurl)
         {
           err = gpg_error_from_syserror ();
 -          http_release_parsed_uri (locuri);
           return err;
         }
     }
@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t
       if (!newurl)
         {
           err = gpg_error_from_syserror ();
 -          http_release_parsed_uri (locuri);
           return err;
         }
     }
 diff -up gnupg-2.2.21/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.21/dirmngr/ks-engine-hkp.c
 --- gnupg-2.2.21/dirmngr/ks-engine-hkp.c.coverity	2019-11-18 18:44:33.000000000 +0100
 +++ gnupg-2.2.21/dirmngr/ks-engine-hkp.c	2020-07-20 17:09:57.419148793 +0200
@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t
   int reselect;
   unsigned int httpflags;
   char *httphost = NULL;
 -  unsigned int http_status;
 +  unsigned int http_status = 0;
   unsigned int tries = SEND_REQUEST_RETRIES;
   unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
-diff -up gnupg-2.2.21/g10/card-util.c.coverity gnupg-2.2.21/g10/card-util.c
+From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001
--- gnupg-2.2.21/g10/card-util.c.coverity	2020-04-15 15:17:48.000000000 +0200
+From: Jakub Jelen <jjelen@redhat.com>
-+++ gnupg-2.2.21/g10/card-util.c	2020-07-20 17:09:57.419148793 +0200
+Date: Tue, 13 Apr 2021 16:34:40 +0200
-@@ -667,7 +667,7 @@ card_status (ctrl_t ctrl, estream_t fp,
+Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory
 {
   int err;
   strlist_t card_list, sl;
 -  char *serialno0, *serialno1;
 +  char *serialno0, *serialno1 = NULL;
   int all_cards = 0;
   int any_card = 0;
-@@ -712,6 +712,7 @@ card_status (ctrl_t ctrl, estream_t fp,
+* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen
-       current_card_status (ctrl, fp, NULL, 0);
+--
       xfree (serialno1);
 +      serialno1 = NULL;
-       if (!all_cards)
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-         goto leave;
+---
-diff -up gnupg-2.2.21/g10/import.c.coverity gnupg-2.2.21/g10/import.c
+ scd/app-piv.c | 4 ++--
--- gnupg-2.2.21/g10/import.c.coverity	2020-07-20 17:09:57.416148768 +0200
+ 1 file changed, 2 insertions(+), 2 deletions(-)
 +++ gnupg-2.2.21/g10/import.c	2020-07-20 17:09:57.419148793 +0200
@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl,
-   if (opt.interactive && !silent)
+diff --git a/scd/app-piv.c b/scd/app-piv.c
-     {
+index 143cc047a..94257f0ee 100644
-      if (is_status_enabled())
+--- a/scd/app-piv.c
-+      if (uidnode && is_status_enabled())
+++ b/scd/app-piv.c
-         print_import_check (pk, uidnode->pkt->pkt.user_id);
+@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
-       merge_keys_and_selfsig (ctrl, keyblock);
+   gpg_error_t err;
-       tty_printf ("\n");
+   data_object_t dobj;
-diff -up gnupg-2.2.21/g10/keygen.c.coverity gnupg-2.2.21/g10/keygen.c
+   unsigned char *outdata = NULL;
--- gnupg-2.2.21/g10/keygen.c.coverity	2020-07-20 17:09:57.401148640 +0200
+-  size_t outdatalen;
-+++ gnupg-2.2.21/g10/keygen.c	2020-07-20 17:09:57.420148801 +0200
+  size_t outdatalen = 0;
-@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl,
+   const unsigned char *s;
-   char *endp;
+   size_t n;
-   const char *curve = NULL;
+   int keyref, mechanism;
-   int ecdh_or_ecdsa = 0;
+@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
-  unsigned int size;
+   /* Now verify the Application PIN.  */
-+  unsigned int size = 0;
+   err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg);
   int keyuse;
   int i;
   const char *s;
@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i
      the self-signatures. */
   err = agent_readkey (NULL, 1, keyid, &public);
   if (err)
 -    return err;
-+    {
+    goto leave;
 +      xfree (pkt);
 +      xfree (pk);
 +      return err;
 +    }
   err = gcry_sexp_sscan (&s_key, NULL, public,
                          gcry_sexp_canon_len (public, 0, NULL, NULL));
   xfree (public);
   if (err)
 -    return err;
 +    {
 +      xfree (pkt);
 +      xfree (pk);
 +      return err;
 +    }
-   if (algo == PUBKEY_ALGO_RSA)
+   /* Build the Dynamic Authentication Template.  */
-     err = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
+   err = concat_tlv_list (0, &apdudata, &apdudatalen,
-@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i
+-- 
-   if (err)
+2.30.2
     {
       log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) );
 +      xfree (pkt);
       free_public_key (pk);
       return err;
     }
 diff -up gnupg-2.2.21/g10/sig-check.c.coverity gnupg-2.2.21/g10/sig-check.c
 --- gnupg-2.2.21/g10/sig-check.c.coverity	2020-07-03 16:17:05.000000000 +0200
 +++ gnupg-2.2.21/g10/sig-check.c	2020-07-20 17:09:57.420148801 +0200
@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t
                 {
                   /* Issued by a subkey.  */
                   signer = subk;
 +                  *is_selfsig = 1;
                   break;
                 }
             }
 diff -up gnupg-2.2.21/g10/sign.c.coverity gnupg-2.2.21/g10/sign.c
 --- gnupg-2.2.21/g10/sign.c.coverity	2020-07-20 17:09:57.399148624 +0200
 +++ gnupg-2.2.21/g10/sign.c	2020-07-20 17:09:57.420148801 +0200
@@ -824,7 +824,7 @@ write_signature_packets (ctrl_t ctrl,
       PKT_public_key *pk;
       PKT_signature *sig;
       gcry_md_hd_t md;
 -      gpg_error_t err;
 +      gpg_error_t err = 0;
       pk = sk_rover->pk;
-diff -up gnupg-2.2.21/kbx/keybox-dump.c.coverity gnupg-2.2.21/kbx/keybox-dump.c
+From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001
--- gnupg-2.2.21/kbx/keybox-dump.c.coverity	2019-08-23 15:59:06.000000000 +0200
+From: Jakub Jelen <jjelen@redhat.com>
-+++ gnupg-2.2.21/kbx/keybox-dump.c	2020-07-20 17:09:57.420148801 +0200
+Date: Tue, 13 Apr 2021 16:44:48 +0200
-@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi
+Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks
   while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) )
     {
       if (recno > to)
 -        break; /* Ready.  */
 +        {
 +          _keybox_release_blob (blob);
 +          break; /* Ready.  */
 +        }
       if (recno >= from)
         {
           if ((rc = _keybox_write_blob (blob, NULL, outfp)))
             {
 +              _keybox_release_blob (blob);
               fprintf (stderr, "error writing output: %s\n",
                        gpg_strerror (rc));
               goto leave;
 diff -up gnupg-2.2.21/tools/gpg-wks-server.c.coverity gnupg-2.2.21/tools/gpg-wks-server.c
 --- gnupg-2.2.21/tools/gpg-wks-server.c.coverity	2020-02-10 16:12:13.000000000 +0100
 +++ gnupg-2.2.21/tools/gpg-wks-server.c	2020-07-20 17:09:57.420148801 +0200
@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e
     }
-  leave:
+* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error
-  if (err)
+  (wks_cmd_print_wkd_hash): Free addrspec on error
 +  if (fname)
     {
 -      es_fclose (outfp);
 -      gnupg_remove (fname);
 -    }
 -  else if (es_fclose (outfp))
 -    {
 -      err = gpg_error_from_syserror ();
 -      log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
 +      if (err)
 +        {
 +          es_fclose (outfp);
 +          gnupg_remove (fname);
 +        }
 +      else if (es_fclose (outfp))
 +        {
 +          err = gpg_error_from_syserror ();
 +          log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
 +        }
     }
-   if (!err)
+--
-diff -up gnupg-2.2.21/tools/wks-util.c.coverity gnupg-2.2.21/tools/wks-util.c
+
--- gnupg-2.2.21/tools/wks-util.c.coverity	2019-11-23 13:50:21.000000000 +0100
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-+++ gnupg-2.2.21/tools/wks-util.c	2020-07-20 17:09:57.421148810 +0200
+---
-@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec
+ tools/wks-util.c | 14 ++++++++++----
- static gpg_error_t
+ 1 file changed, 10 insertions(+), 4 deletions(-)
- install_key_from_spec_file (const char *fname)
+
 diff --git a/tools/wks-util.c b/tools/wks-util.c
 index 516c7fe00..38dd194ff 100644
 --- a/tools/wks-util.c
 +++ b/tools/wks-util.c
@@ -1192,11 +1192,14 @@ gpg_error_t
 wks_cmd_print_wkd_hash (const char *userid)
 {
-  gpg_error_t err;
+   gpg_error_t err;
-+  gpg_error_t err = 0;
+-  char *addrspec, *fname;
-   estream_t fp;
+  char *addrspec = NULL, *fname;
   char *line = NULL;
   size_t linelen = 0;
@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user
   char *addrspec, *fname;
   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
-  if (err)
+   if (err)
 -    return err;
-
+    {
-  es_printf ("%s %s\n", fname, addrspec);
+      xfree (addrspec);
-+  if (!err)
+      return err;
-+    es_printf ("%s %s\n", fname, addrspec);
+    }
-   xfree (fname);
+   es_printf ("%s %s\n", fname, addrspec);
-   xfree (addrspec);
+ 
-@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri
+@@ -1211,12 +1214,15 @@ gpg_error_t
 wks_cmd_print_wkd_url (const char *userid)
 {
   gpg_error_t err;
 -  char *addrspec, *fname;
 +  char *addrspec = NULL, *fname;
   char *domain;
   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
   if (err)
@ -246,3 +203,38 @@ diff -up gnupg-2.2.21/tools/wks-util.c.coverity gnupg-2.2.21/tools/wks-util.c
   domain = strchr (addrspec, '@');
   if (domain)
 -- 
 2.30.2
 From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Wed, 14 Apr 2021 15:59:12 +0200
 Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory
 * scd/command.c (cmd_getinfo): Use free instead of gcry_free to match
  the original allocator
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 scd/command.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/scd/command.c b/scd/command.c
 index cb0dd379a..9d85c5a41 100644
 --- a/scd/command.c
 +++ b/scd/command.c
@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line)
         rc = assuan_send_data (ctx, p, strlen (p));
       else
         rc = gpg_error (GPG_ERR_NO_DATA);
 -      xfree (p);
 +      /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */
 +      free (p);
     }
   else if (!strcmp (line, "deny_admin"))
     rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0;
 -- 
 2.30.2
--- a/gnupg-2.2.27.tar.bz2
+++ b/gnupg-2.2.27.tar.bz2
--- a/gnupg-2.2.27.tar.bz2.sig
+++ b/gnupg-2.2.27.tar.bz2.sig
--- a/gnupg-2.3.4.tar.bz2
+++ b/gnupg-2.3.4.tar.bz2
--- a/gnupg-2.3.4.tar.bz2.sig
+++ b/gnupg-2.3.4.tar.bz2.sig
--- a/gnupg2.spec
+++ b/gnupg2.spec
@ -1,6 +1,6 @@
 Name: gnupg2
-Version: 2.2.27
+Version: 2.3.4
-Release: 4
+Release: 1
 Summary: Utility for secure communication and data storage
 License: GPLv3+
@ -8,28 +8,27 @@ URL: https://gnupg.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
 Source1: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
-Patch0:  fix-a-memory-leak-in-g10.patch
+Patch0:  gnupg-2.1.10-secmem.patch
-Patch1:  gnupg-2.1.10-secmem.patch
+Patch1:  gnupg-2.1.1-fips-algo.patch
-Patch2:  gnupg-2.1.1-fips-algo.patch
+Patch2:  gnupg-2.2.23-large-rsa.patch
-Patch3:  gnupg-2.2.23-insttools.patch
+Patch3:  gnupg-2.2.16-ocsp-keyusage.patch
-Patch4:  gnupg-2.2.23-large-rsa.patch
+Patch4:  gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
-Patch5:  gnupg-2.2.16-ocsp-keyusage.patch
+Patch5:  gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
-Patch6:  gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+Patch6:  gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
-Patch7:  gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+Patch7:  gnupg-2.2.20-file-is-digest.patch
-Patch8:  gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
+Patch8:  gnupg-2.2.21-coverity.patch
 Patch9:  gnupg-2.2.20-file-is-digest.patch
 Patch10: gnupg-2.2.21-coverity.patch
 Patch11: common-Avoid-undefined-behavior-of-left-shift-operat.patch
 BuildRequires: gcc
 BuildRequires: zlib-devel, npth-devel, texinfo
-BuildRequires: libgpg-error-devel >= 1.31
+BuildRequires: libgpg-error-devel >= 1.38
-BuildRequires: libgcrypt-devel >= 1.7.0
+BuildRequires: libgcrypt-devel >= 1.9.1
 BuildRequires: libksba-devel >= 1.3.0
 BuildRequires: libassuan-devel >= 2.1.0
 # compile dirmngr module, need gnutls
 BuildRequires: gnutls-devel
-Requires: libgcrypt >= 1.7.0
+Requires: libgcrypt >= 1.9.1
-Requires: libgpg-error >= 1.31
+Requires: libgpg-error >= 1.38
 Recommends: pinentry
 Recommends: gnupg2-smime
@ -63,10 +62,14 @@ signing to the base GnuPG package.
 sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
 %build
 # add --disable-ccid-driver to solve #2005714
 # disable tpm2 module
 %configure \
  --disable-gpgtar \
  --disable-rpath \
  --enable-g13 \
  --disable-ccid-driver \
  --disable-tpm2d \
  --enable-large-secmem
 %make_build
@ -115,6 +118,9 @@ make check
 %changelog
 * Mon Jan 10 2022 yixiangzhike <yixiangzhike007@163.com> - 2.3.4-1
 - update to 2.3.4
 * Mon Aug 2 2021 yixiangzhike <zhangxingliang3@huawei.com> - 2.2.27-4
 - fix the insttools patch