From 29a26efd6f1aa9032c1fe2654601eb3c2c2f172c Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 18 May 2026 17:29:35 +0200 Subject: [PATCH] Update openpgp crate to fix CVE-2026-42784 Resolves: RHEL-177547 --- .gitignore | 2 ++ rust-sequoia-sqv.spec | 13 ++++--------- sequoia-sqv-fix-metadata.diff | 17 ----------------- sources | 4 ++-- vendor.toml | 18 ++++++------------ 5 files changed, 14 insertions(+), 40 deletions(-) delete mode 100644 sequoia-sqv-fix-metadata.diff diff --git a/.gitignore b/.gitignore index 5aa12c5..e6d5ae1 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ /sequoia-sqv-1.3.0.crate /sequoia-sqv-1.3.0.1.tar.gz /sequoia-sqv-vendor-1.3.0.1.tar.gz +/sequoia-sqv-1.3.0.2.tar.gz +/sequoia-sqv-vendor-1.3.0.2.tar.gz diff --git a/rust-sequoia-sqv.spec b/rust-sequoia-sqv.spec index edc64fe..829257b 100644 --- a/rust-sequoia-sqv.spec +++ b/rust-sequoia-sqv.spec @@ -6,7 +6,7 @@ %global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$ Name: rust-sequoia-sqv -Version: 1.3.0.1 +Version: 1.3.0.2 Release: %autorelease Summary: Simple OpenPGP signature verification program @@ -14,7 +14,7 @@ License: LGPL-2.0-or-later URL: https://crates.io/crates/sequoia-sqv # The version 1.3.0 upstream + patches from jjelen/pqc branch # Generated using: -# git archive --format=tar.gz --prefix sequoia-sqv-1.3.0.1/ -o sequoia-sqv-1.3.0.1.tar.gz jjelen/pqc +# git archive --format=tar.gz --prefix sequoia-sqv-1.3.0.2/ -o ../sequoia-sqv-1.3.0.2.tar.gz jjelen/pqc Source0: %{crate}-%{version}.tar.gz # Generated using cargo-vendor-filterer: @@ -24,17 +24,13 @@ Source0: %{crate}-%{version}.tar.gz # --platform i686-unknown-linux-gnu \ # --platform s390x-unknown-linux-gnu \ # --all-features -# tar -czf ../%%{crate}-vendor-%%{version}.tar.gz vendor +# tar -czf ../sequoia-sqv-vendor-1.3.0.2.tar.gz vendor Source1: %{crate}-vendor-%{version}.tar.gz Source2: vendor.toml -# Manually created patch for downstream crate metadata changes -# * switch crypto backend from Nettle to OpenSSL -# * exclude files that are only useful for upstream development -# * drop features for unsupported crypto backends -Patch: sequoia-sqv-fix-metadata.diff ExclusiveArch: %{rust_arches} +BuildRequires: clang %if 0%{?rhel} BuildRequires: rust-toolset %else @@ -94,7 +90,6 @@ License: %{shrink: %prep %autosetup -n %{crate}-%{version} -N -a1 -%autopatch -M 99 -p1 %cargo_prep -N # include full configuration for vendored dependencies cat %{SOURCE2} >> .cargo/config.toml diff --git a/sequoia-sqv-fix-metadata.diff b/sequoia-sqv-fix-metadata.diff deleted file mode 100644 index b26c4be..0000000 --- a/sequoia-sqv-fix-metadata.diff +++ /dev/null @@ -1,17 +0,0 @@ ---- sequoia-sqv-1.3.0/Cargo.toml 1970-01-01T00:00:01+00:00 -+++ sequoia-sqv-1.3.0/Cargo.toml 2025-03-08T11:15:16.145149+00:00 -@@ -54,13 +54,9 @@ - bench = false - - [features] --default = ["crypto-nettle"] -+default = ["crypto-openssl"] - crypto-nettle = ["sequoia-openpgp/crypto-nettle"] - crypto-openssl = ["sequoia-openpgp/crypto-openssl"] --crypto-botan = ["sequoia-openpgp/crypto-botan"] --crypto-botan2 = ["sequoia-openpgp/crypto-botan2"] --crypto-cng = ["sequoia-openpgp/crypto-cng"] --crypto-rust = ["sequoia-openpgp/crypto-rust"] - - - [patch.crates-io] diff --git a/sources b/sources index 0ec048f..d63d61b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (sequoia-sqv-1.3.0.1.tar.gz) = 553cb4e8c77a79d9640b4cac99d9365d2bb181d3ae37767b404f36b53f8f47f3e1307094e873570f7b5bfa254480d41abc54245b2cca067b25dce89a25719c48 -SHA512 (sequoia-sqv-vendor-1.3.0.1.tar.gz) = 145bf9ab625700a4db2d1b1d4dc2d8bd5d42df430442fb425b0506322df3fb676284c6a547d632c7d49343af2676b6019c8a00cb5b47d9dbfdfeeaddfe0868d5 +SHA512 (sequoia-sqv-1.3.0.2.tar.gz) = e3a3b9bfff021625099eb2272a4242a37f4c548849664dbc992f20c4f4da5b96f6ff5ed20587f64ebd428024ba4f058e216dcf2af7d192999aaeb31e008e901c +SHA512 (sequoia-sqv-vendor-1.3.0.2.tar.gz) = a004b5e17b2530a21047072301fd8ebb705a76e4784e17865878f82a4d7b4f6d2dfb666c4a62832d95caac1abd9a1217c71c14e230294c1c754709cf895d3774 diff --git a/vendor.toml b/vendor.toml index 8333382..57f57e7 100644 --- a/vendor.toml +++ b/vendor.toml @@ -1,21 +1,15 @@ [source.crates-io] replace-with = "vendored-sources" -[source."git+https://github.com/teythoon/rust-openssl?branch=justus/pqc"] -git = "https://github.com/teythoon/rust-openssl" -branch = "justus/pqc" +[source."git+https://gitlab.com/jjelen/sequoia-policy-config?branch=jjelen/pqc-ossl"] +git = "https://gitlab.com/jjelen/sequoia-policy-config" +branch = "jjelen/pqc-ossl" replace-with = "vendored-sources" -[source."git+https://gitlab.com/sequoia-pgp/sequoia-policy-config?branch=justus/pqc"] -git = "https://gitlab.com/sequoia-pgp/sequoia-policy-config" -branch = "justus/pqc" -replace-with = "vendored-sources" - -[source."git+https://gitlab.com/sequoia-pgp/sequoia?branch=justus/pqc"] -git = "https://gitlab.com/sequoia-pgp/sequoia" -branch = "justus/pqc" +[source."git+https://gitlab.com/jjelen/sequoia?branch=jjelen/pqc-ossl"] +git = "https://gitlab.com/jjelen/sequoia" +branch = "jjelen/pqc-ossl" replace-with = "vendored-sources" [source.vendored-sources] directory = "vendor" -