From 3d7be5cb32a7eec048ec04c398dbea1fa2421c68 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Fri, 16 Jan 2026 00:38:35 +0000
Subject: [PATCH] import UBI gnupg2-2.2.20-4.el8_10

---
 .gitignore                       |   1 +
 .gnupg2.metadata                 |   1 +
 SOURCES/gnupg-2.2.20.tar.bz2.sig | Bin 954 -> 0 bytes
 SOURCES/gnupg-2.3.3-memcpy.patch |  85 +++++++++++++++++++++++++++++++
 SPECS/gnupg2.spec                |   9 +++-
 5 files changed, 94 insertions(+), 2 deletions(-)
 delete mode 100644 SOURCES/gnupg-2.2.20.tar.bz2.sig
 create mode 100644 SOURCES/gnupg-2.3.3-memcpy.patch

diff --git a/.gitignore b/.gitignore
index 22b79aa..83bf1fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 SOURCES/gnupg-2.2.20.tar.bz2
+SOURCES/gnupg-2.2.20.tar.bz2.sig
diff --git a/.gnupg2.metadata b/.gnupg2.metadata
index fe91c4f..b74fded 100644
--- a/.gnupg2.metadata
+++ b/.gnupg2.metadata
@@ -1 +1,2 @@
 d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2
+87d4b40ff4220949fdc4359afcde44529757a2bc SOURCES/gnupg-2.2.20.tar.bz2.sig
diff --git a/SOURCES/gnupg-2.2.20.tar.bz2.sig b/SOURCES/gnupg-2.2.20.tar.bz2.sig
deleted file mode 100644
index bb4df27b74ff56349b218017a6c6909a0c564d9e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 954
zcmV;r14aCa1GfYK0SE%279j-KX(1!T23_i24?49Zn>o@?CF8aQ0$z0OcfrCY0GR;|
z1WhfAfdL2rsv6RzU)ad~>EV<Ya@ov~KcqV*jIp($y8X!jDPh>Ip;JOl$WiYTxH`s9
zzBXK0+#A#AFc--ULuIss;3!%A6WdrqpbnOlfZLYNZ+#pCU;~o4;EwRXAIBN_`3P$z
ztvR&u!lK_kE8`at4FB>SN)bg>2>w8MmtYcLfoy~#DSQSuyD1zx2b-L;ijvNrRUd$=
z4!=(ha>MdaMjlNu@;Y#bg@4FHgCw96V?|@rPW{}!E~pLpW-Oe|OYbEj*uDPJOz(Ky
zYcP`+Kz^)OZHS+Ut)Prg`$!3a`)I|+$|q1Wfz%Kf=FP<_s^n`HYupfHdf|qkE22q%
z++7kO01*KI0kjrZWpZw1av)1@V`v~KWNCABAaiMFDTx791QP)W06zj70|pBT2nPcK
z1{DYb2?`4Y76JnS0v-VZ7l0Na1lVaIBg6(>>Rt~zwIrK4(oZGhwgm!S48$1)2^67M
zHUJ6<5G0#9(oZGhwg{OA{T-@@T8jQ@DVh@mCujq7%@(+j_P|>vwex0)w!w2Pl3(Z+
z($T6SG8`>LLw^j*!H+yZM5n3!!3${5rgORjD~W`{q?i8gffK;{6{A4*%dPPLxW+nY
zEcHH9G7B;dy|-H4nmm*CyE?JEyaubEBO9Iqxg(-376{~#iB#Rg<^y-nFQQZAUQ^#o
z$YAvsEy1585J2+5uZ^!5i^u5$fHPAy**83wUvhV>f5f$G;)_u;QFhLL#AMjdLQ+G}
zS?v#N;Z#2~zImGD8H<&>m0Vq?aq&P^4UByA1@Wztl(@#GX(sbyTb&k%m15-<87-a6
z)JupRapp!QICg5PasUbm5G0#9(oZGhwodd20GZ`5*oif^TEZhh85B%u;2Itcx95Id
zt-}<b^+fhMFyO*vM?}}50j$nI9QfW%kfpA4J8C=)(R@9-Mng2cf@)H@c>YUZ;eVn_
z!Tt=K3#_MzYYvY=S@h#=+ZhmJ>yk)}^t?L;>0S2t#QrXToex^8^bvo-Slo`Ei>L?i
z7pMs~zF0LMDH~R&Ppovy3z>m$V1^&{c(Wjc2Hn5l)Y-^zLZJ<+-@ctQFo(`?2N*$o
z&wTkMrKCLvypU6D4;p<)^k)O+1G!_@olrdQSpJ|Qp`+IJdK0!w-;0m1Gx~ZbT&LwJ
ct(KnlwK{@hKi%s`?_$vVD(bPMdnYK|O&Zv)!T<mO

diff --git a/SOURCES/gnupg-2.3.3-memcpy.patch b/SOURCES/gnupg-2.3.3-memcpy.patch
new file mode 100644
index 0000000..f2544b6
--- /dev/null
+++ b/SOURCES/gnupg-2.3.3-memcpy.patch
@@ -0,0 +1,85 @@
+From 115d138ba599328005c5321c0ef9f00355838ca9 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 23 Oct 2025 11:36:04 +0200
+Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
+
+* g10/armor.c (armor_filter): Fix faulty double increment.
+
+* common/iobuf.c (underflow_target): Assert that the filter
+implementations behave well.
+--
+
+This fixes a bug in a code path which can only be reached with special
+crafted input data and would then error out at an upper layer due to
+corrupt input (every second byte in the buffer is unitialized
+garbage).  No fuzzing has yet hit this case and we don't have a test
+case for this code path.  However memory corruption can never be
+tolerated as it always has the protential for remode code execution.
+
+Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
+Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
+which fixed
+Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
+
+The bug was introduced on 1999-01-07 by me:
+* armor.c: Rewrote large parts.
+which I fixed on 1999-03-02 but missed to fix the other case:
+* armor.c (armor_filter): Fixed armor bypassing.
+
+Below is base64+gzipped test data which can be used with valgrind to
+show access to uninitalized memory in write(2) in the unpatched code.
+
+--8<---------------cut here---------------start------------->8---
+H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
+a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
+--8<---------------cut here---------------end--------------->8---
+---
+ common/iobuf.c | 6 ++++++
+ g10/armor.c    | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/common/iobuf.c b/common/iobuf.c
+index 8a128b3f6..769df958d 100644
+--- a/common/iobuf.c
++++ b/common/iobuf.c
+@@ -1939,8 +1939,12 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	   A->FILTER.  */
+ 	rc = 0;
+       else
++	{
++	size_t tmplen = len;  /* Used to check for bugs in the filter.  */
+ 	rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			&a->d.buf[a->d.len], &len);
++	log_assert (len <= tmplen);
++	}
+       a->d.len += len;
+ 
+       if (DBG_IOBUF)
+diff --git a/g10/armor.c b/g10/armor.c
+index 036b72772..59a6202aa 100644
+--- a/g10/armor.c
++++ b/g10/armor.c
+@@ -1312,8 +1312,8 @@ armor_filter( void *opaque, int control,
+ 	n = 0;
+ 	if( afx->buffer_len ) {
+             /* Copy the data from AFX->BUFFER to BUF.  */
+-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
+-		buf[n++] = afx->buffer[afx->buffer_pos++];
++            for(; n < size && afx->buffer_pos < afx->buffer_len;)
++                buf[n++] = afx->buffer[afx->buffer_pos++];
+ 	    if( afx->buffer_pos >= afx->buffer_len )
+ 		afx->buffer_len = 0;
+ 	}
+
diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
index e5616e2..21d44d4 100644
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@@ -3,7 +3,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.2.20
-Release: 3%{?dist}
+Release: 4%{?dist}
 
 License: GPLv3+
 Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@@ -26,7 +26,8 @@ Patch22: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.
 Patch23: gnupg-2.2.20-CVE-2022-34903.patch
 # Fixes for issues found in Coverity scan - reported upstream
 Patch30: gnupg-2.2.20-coverity.patch
-
+# https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
+Patch36: gnupg-2.3.3-memcpy.patch
 
 URL:     http://www.gnupg.org/
 
@@ -110,6 +111,7 @@ to the base GnuPG package
 %patch23 -p1 -b .CVE-2022-34903
 
 %patch30 -p1 -b .coverity
+%patch36 -p1 -b .memcpy
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@@ -222,6 +224,9 @@ make -k check
 
 
 %changelog
+* Tue Jan 13 2026 Jakub Jelen <jjelen@redhat.com> - 2.2.20-4
+- Fix CVE-2025-68973 (gpg.fail/memcpy)
+
 * Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.2.20-3
 - Fix CVE-2022-34903 (#2108447)