gnupg2/gnupg-2.2.18-doublefree.patch

diff -up gnupg-2.2.18/g10/pubkey-enc.c.doublefree gnupg-2.2.18/g10/pubkey-enc.c
--- gnupg-2.2.18/g10/pubkey-enc.c.doublefree	2019-08-21 14:01:03.000000000 +0200
+++ gnupg-2.2.18/g10/pubkey-enc.c	2019-12-06 09:28:41.870321838 +0100
@@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey
 
       for (;;)
         {
-          free_public_key (sk);
           sk = xmalloc_clear (sizeof *sk);
           rc = enum_secret_keys (ctrl, &enum_context, sk);
           if (rc)
             {
+              sk = NULL;  /* enum_secret_keys turns SK into a shallow copy! */
               rc = GPG_ERR_NO_SECKEY;
               break;
             }
@@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey
             {
               if (!opt.quiet)
                 log_info (_("okay, we are the anonymous recipient.\n"));
+              sk = NULL;
               break;
             }
           else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
-            break; /* Don't try any more secret keys.  */
+            {
+              sk = NULL;
+              break; /* Don't try any more secret keys.  */
+            }
         }
       enum_secret_keys (ctrl, &enum_context, NULL);  /* free context */
     }
diff -up gnupg-2.2.18/g10/skclist.c.doublefree gnupg-2.2.18/g10/skclist.c
--- gnupg-2.2.18/g10/skclist.c.doublefree	2019-08-21 14:01:03.000000000 +0200
+++ gnupg-2.2.18/g10/skclist.c	2019-12-06 09:28:41.870321838 +0100
@@ -292,14 +292,17 @@ build_sk_list (ctrl_t ctrl,
  * --default-key and --try-secret-key).  Use the following procedure:
  *
  *  1) Initialize a void pointer to NULL
- *  2) Pass a reference to this pointer to this function (content)
- *     and provide space for the secret key (sk)
+ *  2) Pass a reference to this pointer to this function (CONTEXT)
+ *     and provide space for the secret key (SK)
  *  3) Call this function as long as it does not return an error (or
  *     until you are done).  The error code GPG_ERR_EOF indicates the
  *     end of the listing.
  *  4) Call this function a last time with SK set to NULL,
  *     so that can free it's context.
  *
+ *  TAKE CARE: When the function returns SK belongs to CONTEXT and may
+ *  not be freed by the caller; neither on success nor on error.
+ *
  * In pseudo-code:
  *
  *   void *ctx = NULL;