fix abort when decrypting data with anonymous recipient (#1780057)

gnupg-2.2.18-doublefree.patch

@@ -0,0 +1,55 @@
+diff -up gnupg-2.2.18/g10/pubkey-enc.c.doublefree gnupg-2.2.18/g10/pubkey-enc.c
+--- gnupg-2.2.18/g10/pubkey-enc.c.doublefree	2019-08-21 14:01:03.000000000 +0200
++++ gnupg-2.2.18/g10/pubkey-enc.c	2019-12-06 09:28:41.870321838 +0100
+@@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey
+ 
+       for (;;)
+         {
+-          free_public_key (sk);
+           sk = xmalloc_clear (sizeof *sk);
+           rc = enum_secret_keys (ctrl, &enum_context, sk);
+           if (rc)
+             {
++              sk = NULL;  /* enum_secret_keys turns SK into a shallow copy! */
+               rc = GPG_ERR_NO_SECKEY;
+               break;
+             }
+@@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey
+             {
+               if (!opt.quiet)
+                 log_info (_("okay, we are the anonymous recipient.\n"));
++              sk = NULL;
+               break;
+             }
+           else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
+-            break; /* Don't try any more secret keys.  */
++            {
++              sk = NULL;
++              break; /* Don't try any more secret keys.  */
++            }
+         }
+       enum_secret_keys (ctrl, &enum_context, NULL);  /* free context */
+     }
+diff -up gnupg-2.2.18/g10/skclist.c.doublefree gnupg-2.2.18/g10/skclist.c
+--- gnupg-2.2.18/g10/skclist.c.doublefree	2019-08-21 14:01:03.000000000 +0200
++++ gnupg-2.2.18/g10/skclist.c	2019-12-06 09:28:41.870321838 +0100
+@@ -292,14 +292,17 @@ build_sk_list (ctrl_t ctrl,
+  * --default-key and --try-secret-key).  Use the following procedure:
+  *
+  *  1) Initialize a void pointer to NULL
+- *  2) Pass a reference to this pointer to this function (content)
+- *     and provide space for the secret key (sk)
++ *  2) Pass a reference to this pointer to this function (CONTEXT)
++ *     and provide space for the secret key (SK)
+  *  3) Call this function as long as it does not return an error (or
+  *     until you are done).  The error code GPG_ERR_EOF indicates the
+  *     end of the listing.
+  *  4) Call this function a last time with SK set to NULL,
+  *     so that can free it's context.
+  *
++ *  TAKE CARE: When the function returns SK belongs to CONTEXT and may
++ *  not be freed by the caller; neither on success nor on error.
++ *
+  * In pseudo-code:
+  *
+  *   void *ctx = NULL;

gnupg2.spec

@@ -7,7 +7,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.2.18
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 License: GPLv3+
 Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@@ -22,6 +22,8 @@ Patch5:  gnupg-2.2.16-ocsp-keyusage.patch
 Patch6:  gnupg-2.1.1-fips-algo.patch
 # allow 8192 bit RSA keys in keygen UI with large RSA
 Patch9:  gnupg-2.1.21-large-rsa.patch
+# upstream patch
+Patch10: gnupg-2.2.18-doublefree.patch
 
 URL:     http://www.gnupg.org/
 
@@ -98,6 +100,7 @@ to the base GnuPG package
 %patch5 -p1 -b .keyusage
 %patch6 -p1 -b .fips
 %patch9 -p1 -b .large-rsa
+%patch10 -p1 -b .doublefree
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@@ -204,6 +207,9 @@ make -k check
 
 
 %changelog
+* Fri Dec  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-2
+- fix abort when decrypting data with anonymous recipient (#1780057)
+
 * Tue Dec  3 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-1
 - upgrade to 2.2.18