From: Roland Kovacs <roland.kovacs@est.tech>
To: openembedded-core@lists.openembedded.org
Subject: [wrynose][PATCH 2/2] gnupg: fix CVE-2026-57062
Date: Tue, 30 Jun 2026 15:03:58 +0200 [thread overview]
Message-ID: <20260630130358.71091-3-roland.kovacs@est.tech> (raw)
In-Reply-To: <20260630130358.71091-1-roland.kovacs@est.tech>
CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20
mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be
12 bytes but 4 bytes is accepted.
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
---
.../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++
meta/recipes-support/gnupg/gnupg_2.5.20.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
new file mode 100644
index 0000000000..f298b6e9a8
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch
@@ -0,0 +1,43 @@
+From d586f50ee849c8cbeaea47b50c64446c1becbf9b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 18 Jun 2026 10:51:34 +0200
+Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption.
+
+* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen.
+--
+
+Reported-by: Thai Duong <thai@calif.io>
+This is similar to OpenSSL's
+CVE-id: CVE-2026-34182
+
+CVE: CVE-2026-57062
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4]
+
+Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
+---
+ sm/decrypt.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sm/decrypt.c b/sm/decrypt.c
+index 20fb96060..92a33c6e6 100644
+--- a/sm/decrypt.c
++++ b/sm/decrypt.c
+@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp)
+ }
+ if (DBG_CRYPTO)
+ log_printhex (authtag, authtaglen, "Authtag ...:");
+- rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
++ if (authtaglen < 12)
++ {
++ log_info ("authentication tag is too short (%zu octets)\n",
++ authtaglen);
++ rc = gpg_error (GPG_ERR_CHECKSUM);
++ }
++ else
++ rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
+ xfree (authtag);
+ if (rc)
+ log_error ("data is not authentic: %s\n", gpg_strerror (rc));
+--
+2.34.1
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.5.20.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
index a1a50e2384..e373265c48 100644
--- a/meta/recipes-support/gnupg/gnupg_2.5.20.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb
@@ -20,6 +20,7 @@ SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87"
SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0002-use-pkgconfig-instead-of-npth-config.patch \
file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+ file://CVE-2026-57062.patch \
"
SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
file://relocate.patch"
--
2.34.1
prev parent reply other threads:[~2026-06-30 13:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 13:03 [wrynose][PATCH 0/2] gnupg update and fix outstanding CVE Roland Kovacs
2026-06-30 13:03 ` [wrynose][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Roland Kovacs
2026-06-30 13:19 ` [OE-core] " Yoann Congal
2026-07-01 6:51 ` Roland Kovács
2026-07-01 7:48 ` Yoann Congal
2026-06-30 13:03 ` Roland Kovacs [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630130358.71091-3-roland.kovacs@est.tech \
--to=roland.kovacs@est.tech \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox