packages/gnupg2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!102 Backport follow-up patch for CVE-2025-30258

Browse Source 
From: @yixiangzhike 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite
This commit is contained in:
openeuler-ci-bot 2025-05-07 02:30:13 +00:00 committed by Gitee
commit fb1f4f7d38
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 54 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
backport-0006-CVE-2025-30258.patch Normal file
View File

@ -0,0 +1,48 @@
From 9b7c067717d815e16f9ea3cec88bca09a6cce7cb Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 2 May 2025 11:11:05 +0200
Subject: [PATCH] gpg: Fix another regression due to the T7547 fix.
* g10/getkey.c (get_pubkey_for_sig): Keep a requested
PUBKEY_USAGE_CERT.
(finish_lookup): For correctness in future use cases allow
PUBKEY_USAGE_CERT to also trigger verify mode.
--
The case here was that a cert-only primary key was removed with
export-clean.
GnuPG-bug-id: 7583
---
g10/getkey.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/g10/getkey.c b/g10/getkey.c
index e3264062f..ae0e00220 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -341,8 +341,10 @@ get_pubkey_for_sig (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig,
/* Make sure to request only keys cabable of signing. This makes
* sure that a subkey w/o a valid backsig or with bad usage flags
* will be skipped. We also request the verification mode so that
- * expired and reoked keys are returned. */
- pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY);
+ * expired and revoked keys are returned. We keep only a requested
+ * CERT usage in PK for the sake of key signatures. */
+ pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY
+ | (pk->req_usage & PUBKEY_USAGE_CERT));
/* First try the ISSUER_FPR info. */
fpr = issuer_fpr_raw (sig, &fprlen);
@@ -3736,7 +3738,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
/* The verify mode is used to change the behaviour so that we can
* return an expired or revoked key for signature verification. */
verify_mode = ((req_usage & PUBKEY_USAGE_VERIFY)
- && (req_usage & PUBKEY_USAGE_SIG));
+ && (req_usage & (PUBKEY_USAGE_CERT|PUBKEY_USAGE_SIG)));
#define USAGE_MASK (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
req_usage &= USAGE_MASK;
--
2.43.0

8
gnupg2.spec
View File

@ -1,6 +1,6 @@
Name: gnupg2
Version: 2.4.3
Release: 6
Release: 7
Summary: Utility for secure communication and data storage
License: GPLv3+
@ -25,7 +25,8 @@ Patch14: backport-0002-CVE-2025-30258.patch
Patch15: backport-0003-CVE-2025-30258.patch
Patch16: backport-0004-CVE-2025-30258.patch
Patch17: backport-0005-CVE-2025-30258.patch
Patch18: backport-gpg-Fix-double-free-of-internal-data.patch
Patch18: backport-0006-CVE-2025-30258.patch
Patch19: backport-gpg-Fix-double-free-of-internal-data.patch
BuildRequires: gcc
BuildRequires: zlib-devel, npth-devel, texinfo
@ -127,6 +128,9 @@ make check
%changelog
* Tue May 6 2025 yixiangzhike <yixiangzhike007@163.com> - 2.4.3-7
- backport follow-up patch for CVE-2025-30258
* Thu Mar 27 2025 yixiangzhike <yixiangzhike007@163.com> - 2.4.3-6
- fix CVE-2025-30258