import CS gnupg2-2.3.3-4.el9

2023-09-21 18:41:20 +00:00 · 2023-09-21 18:41:20 +00:00 · c1034e435b
parent ec9f742138
commit c1034e435b
6 changed files with 91 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/gnupg-2.3.3.tar.bz2
+SOURCES/gnupg-2.3.3.tar.bz2.sig
--- a/.gnupg2.metadata
+++ b/.gnupg2.metadata
@ -1 +1,2 @@
 b19a407076424704f1b00e8265254de1b3061659 SOURCES/gnupg-2.3.3.tar.bz2
+38fed91a8c4b3ba09977ab06567395448b6f1242 SOURCES/gnupg-2.3.3.tar.bz2.sig
--- a/SOURCES/gnupg-2.3.3-aead-packet.patch
+++ b/SOURCES/gnupg-2.3.3-aead-packet.patch
@ -0,0 +1,30 @@
+commit eadf12a52c2e230174e076a0dcae68132094cefe
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Thu Feb 24 09:02:53 2022 +0100
+
+    sign: Construct valid AEAD packets.
+    
+    * g10/sign.c (sign_symencrypt_file): Insert correct version and AEAD
+      information into symkey packet.
+    
+    --
+    
+    GnuPG-bug-id: 5856
+    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+diff --git a/g10/sign.c b/g10/sign.c
+index bbcfabdb7..2ab76c99b 100644
+--- a/g10/sign.c
+++ b/g10/sign.c
+@@ -1660,8 +1660,9 @@ sign_symencrypt_file (ctrl_t ctrl, const char *fname, strlist_t locusr)
+   {
+     PKT_symkey_enc *enc = xmalloc_clear( sizeof *enc );
+ 
+-    enc->version = 4;
+    enc->version = cfx.dek->use_aead ? 5 : 4;
+     enc->cipher_algo = cfx.dek->algo;
+    enc->aead_algo = cfx.dek->use_aead;
+     enc->s2k = *s2k;
+     pkt.pkttype = PKT_SYMKEY_ENC;
+     pkt.pkt.symkey_enc = enc;
+
--- a/SOURCES/gnupg-2.3.3-ssh-fips.patch
+++ b/SOURCES/gnupg-2.3.3-ssh-fips.patch
@ -0,0 +1,42 @@
+From c4436ebfa58f219190f1244928001b4293293343 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 12 Apr 2022 16:26:58 +0200
+Subject: [PATCH GnuPG] agent: Ignore MD5 Fingerprints for ssh keys
+
+--
+* agent/command-ssh.c (add_control_entry): Ignore failure of the MD5
+  digest
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ agent/command-ssh.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/agent/command-ssh.c b/agent/command-ssh.c
+index a7784e728..46821e3c8 100644
+--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
+@@ -1095,8 +1095,9 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
+       time_t atime = time (NULL);
+ 
+       err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr_md5);
+      /* ignore the errors as MD5 is not available in FIPS mode */
+       if (err)
+-        goto out;
+        fpr_md5 = NULL;
+ 
+       err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &fpr_sha256);
+       if (err)
+@@ -1113,7 +1114,8 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
+                spec->name,
+                1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
+                tp->tm_hour, tp->tm_min, tp->tm_sec,
+-               fpr_md5, fpr_sha256, hexgrip, ttl, confirm? " confirm":"");
+               fpr_md5? fpr_md5:"", fpr_sha256, hexgrip, ttl,
+               confirm? " confirm":"");
+ 
+     }
+  out:
+-- 
+2.39.2
+
--- a/SOURCES/gnupg-2.3.3.tar.bz2.sig
+++ b/SOURCES/gnupg-2.3.3.tar.bz2.sig
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@ -7,7 +7,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.3.3
-Release: 2%{?dist}
+Release: 4%{?dist}

 License: GPLv3+
 Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@ -31,6 +31,12 @@ Patch30: gnupg-2.2.21-coverity.patch
 Patch31: gnupg-2.3.1-revert-default-eddsa.patch
 # Revert default EdDSA key types
 Patch32: gnupg-2.3.3-CVE-2022-34903.patch
+# Fix AEAD packet construction
+# https://dev.gnupg.org/T5856
+Patch34: gnupg-2.3.3-aead-packet.patch
+# Fix ssh-agent behavior in FIPS mode
+# https://dev.gnupg.org/T5929
+Patch35: gnupg-2.3.3-ssh-fips.patch


 URL:     https://www.gnupg.org/
@ -116,6 +122,8 @@ to the base GnuPG package
 %patch30 -p1 -b .coverity
 %patch31 -p1 -R -b .eddsa
 %patch32 -p1 -b .CVE-2022-34903
+%patch34 -p1 -b .aead
+%patch35 -p1 -b .ssh-fips

 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@ -229,6 +237,14 @@ make -k check


 %changelog
+* Wed Apr 19 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-4
+- Revert marking the SHA-1 digest as weak (#2184640)
+
+* Thu Mar 30 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-3
+- Mark SHA-1 digest as weak to follow SHA-1 disablement in RHEL9 (#2070722)
+- Fix interaction with SSH by not requiring the MD5 digest (#2073567)
+- Fix creation of AEAD packets (#2128058)
+
 * Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
 - Fix CVE-2022-34903 (#2108449)