All of lore.kernel.org
 help / color / mirror / Atom feed
* [master][PATCH 0/2]  gnupg update and fix outstanding CVE
@ 2026-06-30 13:03 Roland Kovacs
  2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
  2026-06-30 13:03 ` [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs
  0 siblings, 2 replies; 5+ messages in thread
From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw)
  To: openembedded-core

In order to squash multiple smaller bugs, bump from version 2.5.17->2.5.20,
however that does not resolve CVE-2026-57062, so it is backported from gnupg
master.

Roland Kovacs (2):
  gnupg: Upgrade 2.5.17 -> 2.5.20
  gnupg: fix CVE-2026-57062

 .../gnupg/gnupg/CVE-2026-57062.patch          | 43 +++++++++++++++++++
 .../{gnupg_2.5.17.bb => gnupg_2.5.20.bb}      |  4 +-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
 rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (94%)

-- 
2.34.1



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20
  2026-06-30 13:03 [master][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs
@ 2026-06-30 13:03 ` Roland Kovacs
  2026-06-30 13:16   ` [OE-core] " Alexander Kanavin
  2026-06-30 13:03 ` [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs
  1 sibling, 1 reply; 5+ messages in thread
From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw)
  To: openembedded-core

Bug fixes included in this release:
   - gpg: Fix wrong assertion failure which could very rarely occur
     during key signature checking.  [rG693f5642f6]
   - gpg: Consider certify-only keys for revocation signature check.
     [T8196]
   - gpgsm: Fix possible double free in the CMS parser.  [T8240]
   - gpgsm: Fix possible too early removal of ephemeral keys.  [T8236]
   - gpgsm: Avoid emitting a final FAILURE status line if --status-fd
     is not used.  [rG69c27fe377]
   - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM
     data.  [rG60a823c97b]
   - agent: Fix not using cache for pinentry loopback.  [rGd4b608a31f]
   - agent: Fix command PUT_SECRET by saving input line.  [rG1875bc185e]
   - keyboxd: Mark keys searched but not imported via LDAP correctly
     as ephemeral.  [T8048]
   - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA
     keys > 2k.  [T8244]
   - dirmngr: Fix uninitialized use of the dns_any union in
     dns_rr_cmp.  [T8251]
 Release-info: https://dev.gnupg.org/T7997

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
 .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%)

diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
similarity index 95%
rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb
rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb
index fd6588769c..a1a50e2384 100644
--- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
@@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even
 require drop-unknown-suffix.inc
 
 UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
+SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0002-use-pkgconfig-instead-of-npth-config.patch \
            file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
@@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-
                                 file://relocate.patch"
 SRC_URI:append:class-nativesdk = " file://relocate.patch"
 
-SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d"
+SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6"
 
 EXTRA_OECONF = "--disable-ldap \
 		--disable-ccid-driver \
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [master][PATCH 2/2] gnupg: fix CVE-2026-57062
  2026-06-30 13:03 [master][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs
  2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
@ 2026-06-30 13:03 ` Roland Kovacs
  1 sibling, 0 replies; 5+ messages in thread
From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw)
  To: openembedded-core

CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20
mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be
12 bytes but 4 bytes is accepted.

Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
 .../gnupg/gnupg/CVE-2026-57062.patch          | 43 +++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_2.5.20.bb    |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch

diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
new file mode 100644
index 0000000000..f298b6e9a8
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
@@ -0,0 +1,43 @@
+From d586f50ee849c8cbeaea47b50c64446c1becbf9b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 18 Jun 2026 10:51:34 +0200
+Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption.
+
+* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen.
+--
+
+Reported-by: Thai Duong <thai@calif.io>
+This is similar to OpenSSL's
+CVE-id: CVE-2026-34182
+
+CVE: CVE-2026-57062
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ sm/decrypt.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sm/decrypt.c b/sm/decrypt.c
+index 20fb96060..92a33c6e6 100644
+--- a/sm/decrypt.c
++++ b/sm/decrypt.c
+@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp)
+                 }
+               if (DBG_CRYPTO)
+                 log_printhex (authtag, authtaglen, "Authtag ...:");
+-              rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
++              if (authtaglen < 12)
++                {
++                  log_info ("authentication tag is too short (%zu octets)\n",
++                            authtaglen);
++                  rc = gpg_error (GPG_ERR_CHECKSUM);
++                }
++              else
++                rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
+               xfree (authtag);
+               if (rc)
+                 log_error ("data is not authentic: %s\n", gpg_strerror (rc));
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.5.20.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
index a1a50e2384..e373265c48 100644
--- a/meta/recipes-support/gnupg/gnupg_2.5.20.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
@@ -20,6 +20,7 @@ SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
 SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0002-use-pkgconfig-instead-of-npth-config.patch \
            file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+           file://CVE-2026-57062.patch \
            "
 SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                 file://relocate.patch"
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [OE-core] [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20
  2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
@ 2026-06-30 13:16   ` Alexander Kanavin
  2026-07-01  6:48     ` Roland Kovács
  0 siblings, 1 reply; 5+ messages in thread
From: Alexander Kanavin @ 2026-06-30 13:16 UTC (permalink / raw)
  To: roland.kovacs; +Cc: openembedded-core

On Tue, 30 Jun 2026 at 15:03, Roland Kovács via lists.openembedded.org
<roland.kovacs=est.tech@lists.openembedded.org> wrote:
>  UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
> +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
>  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \

There's a stray SRCREV here.

Alex


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20
  2026-06-30 13:16   ` [OE-core] " Alexander Kanavin
@ 2026-07-01  6:48     ` Roland Kovács
  0 siblings, 0 replies; 5+ messages in thread
From: Roland Kovács @ 2026-07-01  6:48 UTC (permalink / raw)
  To: alex.kanavin@gmail.com; +Cc: openembedded-core@lists.openembedded.org

On Tue, 2026-06-30 at 15:16 +0200, Alexander Kanavin wrote:
> On Tue, 30 Jun 2026 at 15:03, Roland Kovács via lists.openembedded.org
> <roland.kovacs=est.tech@lists.openembedded.org> wrote:
> >  UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/"
> > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
> >  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
> 
> There's a stray SRCREV here.
> 
> Alex
Sorry about that, I'll fix and send V2 series.

Cheers,
	Roland

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-01  6:48 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-30 13:03 [master][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs
2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
2026-06-30 13:16   ` [OE-core] " Alexander Kanavin
2026-07-01  6:48     ` Roland Kovács
2026-06-30 13:03 ` [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.