Mark SHA1 as a weak digest

Resolves: rhbz#2070722
2023-03-30 14:30:10 +02:00 · 2023-03-30 14:30:10 +02:00 · 464efce3c5
commit 464efce3c5
parent eb40c88ada
2 changed files with 28 additions and 0 deletions
--- a/gnupg-2.3.3-disable-sha1.patch
+++ b/gnupg-2.3.3-disable-sha1.patch
@ -0,0 +1,25 @@
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 84706ca6b..74946b0dd 100644
+--- a/g10/gpg.c
+++ b/g10/gpg.c
+@@ -2573,6 +2573,7 @@ main (int argc, char **argv)
+ 
+     /* Set default options which require that malloc stuff is ready.  */
+     additional_weak_digest ("MD5");
+    additional_weak_digest ("SHA1");
+     parse_auto_key_locate (DEFAULT_AKL_LIST);
+ 
+     argc = orig_argc;
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index ceded4af9..277d3c8ca 100644
+--- a/g10/gpgv.c
+++ b/g10/gpgv.c
+@@ -205,6 +205,7 @@ main( int argc, char **argv )
+   dotlock_disable ();
+   gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+   additional_weak_digest("MD5");
+  additional_weak_digest("SHA1");
+   gnupg_initialize_compliance (GNUPG_MODULE_NAME_GPG);
+ 
+   pargs.argc = &argc;
+
--- a/gnupg2.spec
+++ b/gnupg2.spec
@ -31,6 +31,8 @@ Patch30: gnupg-2.2.21-coverity.patch
 Patch31: gnupg-2.3.1-revert-default-eddsa.patch
 # Revert default EdDSA key types
 Patch32: gnupg-2.3.3-CVE-2022-34903.patch
+# Mark SHA-1 weak algorithm to prevent its usage for verification
+Patch33: gnupg-2.3.3-disable-sha1.patch


 URL:     https://www.gnupg.org/
@ -116,6 +118,7 @@ to the base GnuPG package
 %patch30 -p1 -b .coverity
 %patch31 -p1 -R -b .eddsa
 %patch32 -p1 -b .CVE-2022-34903
+%patch33 -p1 -b .sha1

 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,