* [master][PATCH 0/2] gnupg update and fix outstanding CVE
@ 2026-06-30 13:03 Roland Kovacs
2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
2026-06-30 13:03 ` [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs
0 siblings, 2 replies; 5+ messages in thread
From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw)
To: openembedded-core
In order to squash multiple smaller bugs, bump from version 2.5.17->2.5.20,
however that does not resolve CVE-2026-57062, so it is backported from gnupg
master.
Roland Kovacs (2):
gnupg: Upgrade 2.5.17 -> 2.5.20
gnupg: fix CVE-2026-57062
.../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++
.../{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 4 +-
2 files changed, 46 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (94%)
--
2.34.1
^ permalink raw reply [flat|nested] 5+ messages in thread* [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-06-30 13:03 [master][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs @ 2026-06-30 13:03 ` Roland Kovacs 2026-06-30 13:16 ` [OE-core] " Alexander Kanavin 2026-06-30 13:03 ` [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs 1 sibling, 1 reply; 5+ messages in thread From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw) To: openembedded-core Bug fixes included in this release: - gpg: Fix wrong assertion failure which could very rarely occur during key signature checking. [rG693f5642f6] - gpg: Consider certify-only keys for revocation signature check. [T8196] - gpgsm: Fix possible double free in the CMS parser. [T8240] - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] - gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used. [rG69c27fe377] - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data. [rG60a823c97b] - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] - keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral. [T8048] - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k. [T8244] - dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp. [T8251] Release-info: https://dev.gnupg.org/T7997 Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> --- .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%) diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb similarity index 95% rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb index fd6588769c..a1a50e2384 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even require drop-unknown-suffix.inc UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- file://relocate.patch" SRC_URI:append:class-nativesdk = " file://relocate.patch" -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \ -- 2.34.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core] [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs @ 2026-06-30 13:16 ` Alexander Kanavin 2026-07-01 6:48 ` Roland Kovács 0 siblings, 1 reply; 5+ messages in thread From: Alexander Kanavin @ 2026-06-30 13:16 UTC (permalink / raw) To: roland.kovacs; +Cc: openembedded-core On Tue, 30 Jun 2026 at 15:03, Roland Kovács via lists.openembedded.org <roland.kovacs=est.tech@lists.openembedded.org> wrote: > UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ There's a stray SRCREV here. Alex ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core] [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 2026-06-30 13:16 ` [OE-core] " Alexander Kanavin @ 2026-07-01 6:48 ` Roland Kovács 0 siblings, 0 replies; 5+ messages in thread From: Roland Kovács @ 2026-07-01 6:48 UTC (permalink / raw) To: alex.kanavin@gmail.com; +Cc: openembedded-core@lists.openembedded.org On Tue, 2026-06-30 at 15:16 +0200, Alexander Kanavin wrote: > On Tue, 30 Jun 2026 at 15:03, Roland Kovács via lists.openembedded.org > <roland.kovacs=est.tech@lists.openembedded.org> wrote: > > UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" > > +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" > > SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ > > There's a stray SRCREV here. > > Alex Sorry about that, I'll fix and send V2 series. Cheers, Roland ^ permalink raw reply [flat|nested] 5+ messages in thread
* [master][PATCH 2/2] gnupg: fix CVE-2026-57062 2026-06-30 13:03 [master][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs 2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs @ 2026-06-30 13:03 ` Roland Kovacs 1 sibling, 0 replies; 5+ messages in thread From: Roland Kovacs @ 2026-06-30 13:03 UTC (permalink / raw) To: openembedded-core CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> --- .../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++ meta/recipes-support/gnupg/gnupg_2.5.20.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch new file mode 100644 index 0000000000..f298b6e9a8 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch @@ -0,0 +1,43 @@ +From d586f50ee849c8cbeaea47b50c64446c1becbf9b Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Thu, 18 Jun 2026 10:51:34 +0200 +Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption. + +* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen. +-- + +Reported-by: Thai Duong <thai@calif.io> +This is similar to OpenSSL's +CVE-id: CVE-2026-34182 + +CVE: CVE-2026-57062 +Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4] + +Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> +--- + sm/decrypt.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sm/decrypt.c b/sm/decrypt.c +index 20fb96060..92a33c6e6 100644 +--- a/sm/decrypt.c ++++ b/sm/decrypt.c +@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp) + } + if (DBG_CRYPTO) + log_printhex (authtag, authtaglen, "Authtag ...:"); +- rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); ++ if (authtaglen < 12) ++ { ++ log_info ("authentication tag is too short (%zu octets)\n", ++ authtaglen); ++ rc = gpg_error (GPG_ERR_CHECKSUM); ++ } ++ else ++ rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); + xfree (authtag); + if (rc) + log_error ("data is not authentic: %s\n", gpg_strerror (rc)); +-- +2.34.1 + diff --git a/meta/recipes-support/gnupg/gnupg_2.5.20.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb index a1a50e2384..e373265c48 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.20.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -20,6 +20,7 @@ SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ + file://CVE-2026-57062.patch \ " SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ file://relocate.patch" -- 2.34.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-07-01 6:48 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-30 13:03 [master][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs 2026-06-30 13:03 ` [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs 2026-06-30 13:16 ` [OE-core] " Alexander Kanavin 2026-07-01 6:48 ` Roland Kovács 2026-06-30 13:03 ` [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Roland Kovacs
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.