[sumo] [PATCH v1] gnupg: CVE-2018-9234

[sumo] [PATCH v1] gnupg: CVE-2018-9234

[Sinan Kaya]

* CVE-2018-9234
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
certification requires an offline master Certify key, which results
in apparently valid certifications that occurred only with access to
a signing subkey.

Affects gnupg <= 2.2.5

CVE: CVE-2018-9234
Ref: https://access.redhat.com/security/cve/cve-2018-9234
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
 .../gnupg/gnupg/CVE-2018-9234.patch           | 27 +++++++++++++++++++
 meta/recipes-support/gnupg/gnupg_2.2.4.bb     |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2018-9234.patch

diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2018-9234.patch b/meta/recipes-support/gnupg/gnupg/CVE-2018-9234.patch
new file mode 100644
index 0000000000..458616ee1d
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2018-9234.patch
@@ -0,0 +1,27 @@
+From ce055269c80f6e7c1393c0deec7bc5f0d37895ea Mon Sep 17 00:00:00 2001
+From: Sinan Kaya <okaya@kernel.org>
+Date: Sun, 23 Sep 2018 04:05:47 +0000
+Subject: [PATCH] g10: Fix filtering by PK->REQ_USAGE
+
+Upstream-Status: backport [https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ g10/getkey.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/getkey.c b/g10/getkey.c
+index e31e023..ca2500c 100644
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -1810,6 +1810,8 @@ get_pubkey_byfprint (ctrl_t ctrl, PKT_public_key *pk, kbnode_t *r_keyblock,
+       ctx.items[0].mode = fprint_len == 16 ? KEYDB_SEARCH_MODE_FPR16
+ 	: KEYDB_SEARCH_MODE_FPR20;
+       memcpy (ctx.items[0].u.fpr, fprint, fprint_len);
++      if (pk)
++        ctx.req_usage = pk->req_usage;
+       rc = lookup (ctrl, &ctx, 0, &kb, &found_key);
+       if (!rc && pk)
+ 	pk_from_block (pk, kb, found_key);
+-- 
+2.19.0
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.4.bb b/meta/recipes-support/gnupg/gnupg_2.2.4.bb
index d6bfaff377..d777fcb122 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.4.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0003-dirmngr-uses-libgpg-error.patch \
            file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
            file://CVE-2018-12020.patch \
+           file://CVE-2018-9234.patch \
           "
 SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch"
 
-- 
2.19.0

✗ patchtest: failure for gnupg: CVE-2018-9234

[Patchwork]

== Series Details ==

Series: gnupg: CVE-2018-9234
Revision: 1
URL   : https://patchwork.openembedded.org/series/14197/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Upstream-Status is in incorrect format [test_upstream_status_presence_format] 
  Suggested fix    Fix Upstream-Status format in CVE-2018-9234.patch
  Current          Upstream-Status: backport [https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657]
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe