fix static analysis findings (RHEL-44568)

Resolves: RHEL-44568

gpgme-1.23.2-sast_fix1.patch

@@ -0,0 +1,67 @@
+diff --git a/src/gpgme-tool.c b/src/gpgme-tool.c
+index 0aa24510..c276202e 100644
+--- a/src/gpgme-tool.c
++++ b/src/gpgme-tool.c
+@@ -1440,7 +1440,7 @@ gt_set_keylist_mode (gpgme_tool_t gt, gpgme_keylist_mode_t keylist_mode)
+ gpg_error_t
+ gt_get_keylist_mode (gpgme_tool_t gt)
+ {
+-#define NR_KEYLIST_MODES 6
++#define NR_KEYLIST_MODES 11
+   const char *modes[NR_KEYLIST_MODES + 1];
+   int idx = 0;
+   gpgme_keylist_mode_t mode = gpgme_get_keylist_mode (gt->ctx);
+@@ -1455,16 +1455,23 @@ gt_get_keylist_mode (gpgme_tool_t gt)
+     modes[idx++] = "sig_notations";
+   if (mode & GPGME_KEYLIST_MODE_WITH_SECRET)
+     modes[idx++] = "with_secret";
++  if (mode & GPGME_KEYLIST_MODE_WITH_TOFU)
++    modes[idx++] = "with_tofu";
++  if (mode & GPGME_KEYLIST_MODE_WITH_KEYGRIP)
++    modes[idx++] = "with_keygrip";
+   if (mode & GPGME_KEYLIST_MODE_EPHEMERAL)
+     modes[idx++] = "ephemeral";
+   if (mode & GPGME_KEYLIST_MODE_VALIDATE)
+     modes[idx++] = "validate";
+   if (mode & GPGME_KEYLIST_MODE_FORCE_EXTERN)
+     modes[idx++] = "force_extern";
++  if (mode & GPGME_KEYLIST_MODE_WITH_V5FPR)
++    modes[idx++] = "with_v5fpr";
+   modes[idx++] = NULL;
+ 
+   gt_write_status (gt, STATUS_KEYLIST_MODE, modes[0], modes[1], modes[2],
+-		   modes[3], modes[4], modes[5], modes[6], NULL);
++                   modes[3], modes[4], modes[5], modes[6], modes[7], modes[8],
++                   modes[9], modes[10], NULL);
+ 
+   return 0;
+ }
+@@ -2188,7 +2195,8 @@ cmd_include_certs (assuan_context_t ctx, char *line)
+ 
+ static const char hlp_keylist_mode[] =
+   "KEYLIST_MODE [local] [extern] [sigs] [sig_notations]\n"
+-  "  [ephemeral] [validate]\n"
++  "  [with_secret] [with_tofu] [with_keygrip] [ephemeral]\n"
++  "  [validate] [force_extern] [with_v5fpr]\n"
+   "\n"
+   "Set the mode for the next KEYLIST command.";
+ static gpg_error_t
+@@ -2210,12 +2218,18 @@ cmd_keylist_mode (assuan_context_t ctx, char *line)
+ 	mode |= GPGME_KEYLIST_MODE_SIG_NOTATIONS;
+       if (strstr (line, "with_secret"))
+ 	mode |= GPGME_KEYLIST_MODE_WITH_SECRET;
++      if (strstr (line, "with_tofu"))
++	mode |= GPGME_KEYLIST_MODE_WITH_TOFU;
++      if (strstr (line, "with_keygrip"))
++	mode |= GPGME_KEYLIST_MODE_WITH_KEYGRIP;
+       if (strstr (line, "ephemeral"))
+ 	mode |= GPGME_KEYLIST_MODE_EPHEMERAL;
+       if (strstr (line, "validate"))
+ 	mode |= GPGME_KEYLIST_MODE_VALIDATE;
+       if (strstr (line, "force_extern"))
+ 	mode |= GPGME_KEYLIST_MODE_FORCE_EXTERN;
++      if (strstr (line, "with_v5fpr"))
++	mode |= GPGME_KEYLIST_MODE_WITH_V5FPR;
+ 
+       return gt_set_keylist_mode (server->gt, mode);
+     }

gpgme-1.23.2-sast_fix2.patch

@@ -0,0 +1,39 @@
+diff -up gpgme-1.23.2/src/engine.c.sast_fix2 gpgme-1.23.2/src/engine.c
+--- gpgme-1.23.2/src/engine.c.sast_fix2	2024-08-05 17:31:46.790089148 +0200
++++ gpgme-1.23.2/src/engine.c	2024-08-05 17:34:55.788069948 +0200
+@@ -73,7 +73,7 @@ static char *engine_minimal_version;
+ static const char *
+ engine_get_file_name (gpgme_protocol_t proto)
+ {
+-  if (proto > DIM (engine_ops))
++  if (proto >= DIM (engine_ops))
+     return NULL;
+ 
+   if (engine_ops[proto] && engine_ops[proto]->get_file_name)
+@@ -103,7 +103,7 @@ engine_get_home_dir (gpgme_protocol_t pr
+ static char *
+ engine_get_version (gpgme_protocol_t proto, const char *file_name)
+ {
+-  if (proto > DIM (engine_ops))
++  if (proto >= DIM (engine_ops))
+     return NULL;
+ 
+   if (engine_ops[proto] && engine_ops[proto]->get_version)
+@@ -118,7 +118,7 @@ engine_get_version (gpgme_protocol_t pro
+ static const char *
+ engine_get_req_version (gpgme_protocol_t proto)
+ {
+-  if (proto > DIM (engine_ops))
++  if (proto >= DIM (engine_ops))
+     return NULL;
+ 
+   if (engine_ops[proto] && engine_ops[proto]->get_req_version)
+@@ -403,7 +403,7 @@ _gpgme_set_engine_info (gpgme_engine_inf
+   char *new_version;
+ 
+   /* FIXME: Use some PROTO_MAX definition.  */
+-  if (proto > DIM (engine_ops))
++  if (proto >= DIM (engine_ops))
+     return gpg_error (GPG_ERR_INV_VALUE);
+ 
+   while (info && info->protocol != proto)

gpgme.spec

@@ -12,7 +12,7 @@
 Name:           gpgme
 Summary:        GnuPG Made Easy - high level crypto API
 Version:        1.23.2
-Release:        %autorelease
+Release:        5%{?dist}
 
 # MIT: src/cJSON.{c,h} (used by gpgme-json)
 License:        LGPL-2.1-or-later AND MIT
@@ -32,11 +32,15 @@ Patch1003:      0001-fix-stupid-ax_python_devel.patch
 # Allow extra options to be passed to setup.py during installation
 Patch1004:      0002-setup_py_extra_opts.patch
 
+# from upstream for gpgme <= 1.23.2 fix sast issue #RHEL-44468
+Patch1005:      gpgme-1.23.2-sast_fix1.patch
+# second part of sast fix, not yet upstream atm, #RHEL-44468
+Patch1006:      gpgme-1.23.2-sast_fix2.patch
+
 ## temporary downstream fixes
 # Skip lang/qt/tests/t-remarks on gnupg 2.4+
 Patch3001:      1001-qt-skip-test-remarks-for-gnupg2-2.4.patch
 
-
 BuildRequires:  make
 BuildRequires:  cmake
 BuildRequires:  gcc