import UBI gnupg2-2.3.3-5.el9_7
This commit is contained in:
parent
d446b0027c
commit
d8a9733372
85
SOURCES/gnupg-2.3.3-memcpy.patch
Normal file
85
SOURCES/gnupg-2.3.3-memcpy.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From 115d138ba599328005c5321c0ef9f00355838ca9 Mon Sep 17 00:00:00 2001
|
||||
From: Werner Koch <wk@gnupg.org>
|
||||
Date: Thu, 23 Oct 2025 11:36:04 +0200
|
||||
Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
|
||||
|
||||
* g10/armor.c (armor_filter): Fix faulty double increment.
|
||||
|
||||
* common/iobuf.c (underflow_target): Assert that the filter
|
||||
implementations behave well.
|
||||
--
|
||||
|
||||
This fixes a bug in a code path which can only be reached with special
|
||||
crafted input data and would then error out at an upper layer due to
|
||||
corrupt input (every second byte in the buffer is unitialized
|
||||
garbage). No fuzzing has yet hit this case and we don't have a test
|
||||
case for this code path. However memory corruption can never be
|
||||
tolerated as it always has the protential for remode code execution.
|
||||
|
||||
Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
|
||||
Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
|
||||
which fixed
|
||||
Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
|
||||
|
||||
The bug was introduced on 1999-01-07 by me:
|
||||
* armor.c: Rewrote large parts.
|
||||
which I fixed on 1999-03-02 but missed to fix the other case:
|
||||
* armor.c (armor_filter): Fixed armor bypassing.
|
||||
|
||||
Below is base64+gzipped test data which can be used with valgrind to
|
||||
show access to uninitalized memory in write(2) in the unpatched code.
|
||||
|
||||
--8<---------------cut here---------------start------------->8---
|
||||
H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
|
||||
a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
|
||||
gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
|
||||
--8<---------------cut here---------------end--------------->8---
|
||||
---
|
||||
common/iobuf.c | 6 ++++++
|
||||
g10/armor.c | 4 ++--
|
||||
2 files changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/common/iobuf.c b/common/iobuf.c
|
||||
index 8a128b3f6..769df958d 100644
|
||||
--- a/common/iobuf.c
|
||||
+++ b/common/iobuf.c
|
||||
@@ -1939,8 +1939,12 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
|
||||
A->FILTER. */
|
||||
rc = 0;
|
||||
else
|
||||
+ {
|
||||
+ size_t tmplen = len; /* Used to check for bugs in the filter. */
|
||||
rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
|
||||
&a->d.buf[a->d.len], &len);
|
||||
+ log_assert (len <= tmplen);
|
||||
+ }
|
||||
a->d.len += len;
|
||||
|
||||
if (DBG_IOBUF)
|
||||
diff --git a/g10/armor.c b/g10/armor.c
|
||||
index 036b72772..59a6202aa 100644
|
||||
--- a/g10/armor.c
|
||||
+++ b/g10/armor.c
|
||||
@@ -1312,8 +1312,8 @@ armor_filter( void *opaque, int control,
|
||||
n = 0;
|
||||
if( afx->buffer_len ) {
|
||||
/* Copy the data from AFX->BUFFER to BUF. */
|
||||
- for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
|
||||
- buf[n++] = afx->buffer[afx->buffer_pos++];
|
||||
+ for(; n < size && afx->buffer_pos < afx->buffer_len;)
|
||||
+ buf[n++] = afx->buffer[afx->buffer_pos++];
|
||||
if( afx->buffer_pos >= afx->buffer_len )
|
||||
afx->buffer_len = 0;
|
||||
}
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
Summary: Utility for secure communication and data storage
|
||||
Name: gnupg2
|
||||
Version: 2.3.3
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
|
||||
License: GPLv3+
|
||||
Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
|
||||
@ -37,7 +37,8 @@ Patch34: gnupg-2.3.3-aead-packet.patch
|
||||
# Fix ssh-agent behavior in FIPS mode
|
||||
# https://dev.gnupg.org/T5929
|
||||
Patch35: gnupg-2.3.3-ssh-fips.patch
|
||||
|
||||
# https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9
|
||||
Patch36: gnupg-2.3.3-memcpy.patch
|
||||
|
||||
URL: https://www.gnupg.org/
|
||||
|
||||
@ -124,6 +125,7 @@ to the base GnuPG package
|
||||
%patch32 -p1 -b .CVE-2022-34903
|
||||
%patch34 -p1 -b .aead
|
||||
%patch35 -p1 -b .ssh-fips
|
||||
%patch36 -p1 -b .memcpy
|
||||
|
||||
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
|
||||
# Note: this is just the name of the default shared lib to load in scdaemon,
|
||||
@ -237,6 +239,9 @@ make -k check
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jan 13 2026 Jakub Jelen <jjelen@redhat.com> - 2.3.3-5
|
||||
- Fix CVE-2025-68973 (gpg.fail/memcpy)
|
||||
|
||||
* Wed Apr 19 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-4
|
||||
- Revert marking the SHA-1 digest as weak (#2184640)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user