From d7747268e4afbcd9576101d8a13162caa4917304 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 6 Dec 2019 09:30:05 +0100 Subject: [PATCH] fix abort when decrypting data with anonymous recipient (#1780057) --- gnupg-2.2.18-doublefree.patch | 55 +++++++++++++++++++++++++++++++++++ gnupg2.spec | 8 ++++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 gnupg-2.2.18-doublefree.patch diff --git a/gnupg-2.2.18-doublefree.patch b/gnupg-2.2.18-doublefree.patch new file mode 100644 index 0000000..8c8d00e --- /dev/null +++ b/gnupg-2.2.18-doublefree.patch @@ -0,0 +1,55 @@ +diff -up gnupg-2.2.18/g10/pubkey-enc.c.doublefree gnupg-2.2.18/g10/pubkey-enc.c +--- gnupg-2.2.18/g10/pubkey-enc.c.doublefree 2019-08-21 14:01:03.000000000 +0200 ++++ gnupg-2.2.18/g10/pubkey-enc.c 2019-12-06 09:28:41.870321838 +0100 +@@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey + + for (;;) + { +- free_public_key (sk); + sk = xmalloc_clear (sizeof *sk); + rc = enum_secret_keys (ctrl, &enum_context, sk); + if (rc) + { ++ sk = NULL; /* enum_secret_keys turns SK into a shallow copy! */ + rc = GPG_ERR_NO_SECKEY; + break; + } +@@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey + { + if (!opt.quiet) + log_info (_("okay, we are the anonymous recipient.\n")); ++ sk = NULL; + break; + } + else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED) +- break; /* Don't try any more secret keys. */ ++ { ++ sk = NULL; ++ break; /* Don't try any more secret keys. */ ++ } + } + enum_secret_keys (ctrl, &enum_context, NULL); /* free context */ + } +diff -up gnupg-2.2.18/g10/skclist.c.doublefree gnupg-2.2.18/g10/skclist.c +--- gnupg-2.2.18/g10/skclist.c.doublefree 2019-08-21 14:01:03.000000000 +0200 ++++ gnupg-2.2.18/g10/skclist.c 2019-12-06 09:28:41.870321838 +0100 +@@ -292,14 +292,17 @@ build_sk_list (ctrl_t ctrl, + * --default-key and --try-secret-key). Use the following procedure: + * + * 1) Initialize a void pointer to NULL +- * 2) Pass a reference to this pointer to this function (content) +- * and provide space for the secret key (sk) ++ * 2) Pass a reference to this pointer to this function (CONTEXT) ++ * and provide space for the secret key (SK) + * 3) Call this function as long as it does not return an error (or + * until you are done). The error code GPG_ERR_EOF indicates the + * end of the listing. + * 4) Call this function a last time with SK set to NULL, + * so that can free it's context. + * ++ * TAKE CARE: When the function returns SK belongs to CONTEXT and may ++ * not be freed by the caller; neither on success nor on error. ++ * + * In pseudo-code: + * + * void *ctx = NULL; diff --git a/gnupg2.spec b/gnupg2.spec index 774ca17..bd5a7b6 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -7,7 +7,7 @@ Summary: Utility for secure communication and data storage Name: gnupg2 Version: 2.2.18 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2 @@ -22,6 +22,8 @@ Patch5: gnupg-2.2.16-ocsp-keyusage.patch Patch6: gnupg-2.1.1-fips-algo.patch # allow 8192 bit RSA keys in keygen UI with large RSA Patch9: gnupg-2.1.21-large-rsa.patch +# upstream patch +Patch10: gnupg-2.2.18-doublefree.patch URL: http://www.gnupg.org/ @@ -98,6 +100,7 @@ to the base GnuPG package %patch5 -p1 -b .keyusage %patch6 -p1 -b .fips %patch9 -p1 -b .large-rsa +%patch10 -p1 -b .doublefree # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) # Note: this is just the name of the default shared lib to load in scdaemon, @@ -204,6 +207,9 @@ make -k check %changelog +* Fri Dec 6 2019 Tomáš Mráz - 2.2.18-2 +- fix abort when decrypting data with anonymous recipient (#1780057) + * Tue Dec 3 2019 Tomáš Mráz - 2.2.18-1 - upgrade to 2.2.18