import UBI gnupg2-2.3.3-4.el9

This commit is contained in:
eabdullin 2023-11-07 11:24:55 +00:00
parent e0b464e0c2
commit d446b0027c
6 changed files with 91 additions and 1 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/gnupg-2.3.3.tar.bz2 SOURCES/gnupg-2.3.3.tar.bz2
SOURCES/gnupg-2.3.3.tar.bz2.sig

View File

@ -1 +1,2 @@
b19a407076424704f1b00e8265254de1b3061659 SOURCES/gnupg-2.3.3.tar.bz2 b19a407076424704f1b00e8265254de1b3061659 SOURCES/gnupg-2.3.3.tar.bz2
38fed91a8c4b3ba09977ab06567395448b6f1242 SOURCES/gnupg-2.3.3.tar.bz2.sig

View File

@ -0,0 +1,30 @@
commit eadf12a52c2e230174e076a0dcae68132094cefe
Author: Jakub Jelen <jjelen@redhat.com>
Date: Thu Feb 24 09:02:53 2022 +0100
sign: Construct valid AEAD packets.
* g10/sign.c (sign_symencrypt_file): Insert correct version and AEAD
information into symkey packet.
--
GnuPG-bug-id: 5856
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/g10/sign.c b/g10/sign.c
index bbcfabdb7..2ab76c99b 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -1660,8 +1660,9 @@ sign_symencrypt_file (ctrl_t ctrl, const char *fname, strlist_t locusr)
{
PKT_symkey_enc *enc = xmalloc_clear( sizeof *enc );
- enc->version = 4;
+ enc->version = cfx.dek->use_aead ? 5 : 4;
enc->cipher_algo = cfx.dek->algo;
+ enc->aead_algo = cfx.dek->use_aead;
enc->s2k = *s2k;
pkt.pkttype = PKT_SYMKEY_ENC;
pkt.pkt.symkey_enc = enc;

View File

@ -0,0 +1,42 @@
From c4436ebfa58f219190f1244928001b4293293343 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 12 Apr 2022 16:26:58 +0200
Subject: [PATCH GnuPG] agent: Ignore MD5 Fingerprints for ssh keys
--
* agent/command-ssh.c (add_control_entry): Ignore failure of the MD5
digest
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
agent/command-ssh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index a7784e728..46821e3c8 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -1095,8 +1095,9 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
time_t atime = time (NULL);
err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr_md5);
+ /* ignore the errors as MD5 is not available in FIPS mode */
if (err)
- goto out;
+ fpr_md5 = NULL;
err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &fpr_sha256);
if (err)
@@ -1113,7 +1114,8 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
spec->name,
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
tp->tm_hour, tp->tm_min, tp->tm_sec,
- fpr_md5, fpr_sha256, hexgrip, ttl, confirm? " confirm":"");
+ fpr_md5? fpr_md5:"", fpr_sha256, hexgrip, ttl,
+ confirm? " confirm":"");
}
out:
--
2.39.2

Binary file not shown.

View File

@ -7,7 +7,7 @@
Summary: Utility for secure communication and data storage Summary: Utility for secure communication and data storage
Name: gnupg2 Name: gnupg2
Version: 2.3.3 Version: 2.3.3
Release: 2%{?dist} Release: 4%{?dist}
License: GPLv3+ License: GPLv3+
Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2 Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@ -31,6 +31,12 @@ Patch30: gnupg-2.2.21-coverity.patch
Patch31: gnupg-2.3.1-revert-default-eddsa.patch Patch31: gnupg-2.3.1-revert-default-eddsa.patch
# Revert default EdDSA key types # Revert default EdDSA key types
Patch32: gnupg-2.3.3-CVE-2022-34903.patch Patch32: gnupg-2.3.3-CVE-2022-34903.patch
# Fix AEAD packet construction
# https://dev.gnupg.org/T5856
Patch34: gnupg-2.3.3-aead-packet.patch
# Fix ssh-agent behavior in FIPS mode
# https://dev.gnupg.org/T5929
Patch35: gnupg-2.3.3-ssh-fips.patch
URL: https://www.gnupg.org/ URL: https://www.gnupg.org/
@ -116,6 +122,8 @@ to the base GnuPG package
%patch30 -p1 -b .coverity %patch30 -p1 -b .coverity
%patch31 -p1 -R -b .eddsa %patch31 -p1 -R -b .eddsa
%patch32 -p1 -b .CVE-2022-34903 %patch32 -p1 -b .CVE-2022-34903
%patch34 -p1 -b .aead
%patch35 -p1 -b .ssh-fips
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
# Note: this is just the name of the default shared lib to load in scdaemon, # Note: this is just the name of the default shared lib to load in scdaemon,
@ -229,6 +237,14 @@ make -k check
%changelog %changelog
* Wed Apr 19 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-4
- Revert marking the SHA-1 digest as weak (#2184640)
* Thu Mar 30 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-3
- Mark SHA-1 digest as weak to follow SHA-1 disablement in RHEL9 (#2070722)
- Fix interaction with SSH by not requiring the MD5 digest (#2073567)
- Fix creation of AEAD packets (#2128058)
* Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2 * Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
- Fix CVE-2022-34903 (#2108449) - Fix CVE-2022-34903 (#2108449)