From 76c14f12ff87926d607a1d1da435a557d735c2d5 Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Thu, 21 Aug 2025 16:38:11 +0800
Subject: [PATCH] Fix read buffer over-read in uncompress_ecc_q_in_canon_sexp

(cherry picked from commit acffcaf4ea5d828c5958cf5300a025a13f126f19)
---
 ...buffer-over-read-in-uncompress_ecc_q.patch | 39 +++++++++++++++++++
 gnupg2.spec                                   |  6 ++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch

diff --git a/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch b/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch
new file mode 100644
index 0000000..617451a
--- /dev/null
+++ b/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch
@@ -0,0 +1,39 @@
+From f3dfbe3fcdc0329fcc11524538d6f78beb94cde8 Mon Sep 17 00:00:00 2001
+From: Collin Funk via Gnupg-devel <gnupg-devel@gnupg.org>
+Date: Fri, 23 May 2025 23:52:46 -0700
+Subject: [PATCH] common: Fix read buffer over-read in
+ uncompress_ecc_q_in_canon_sexp.
+
+* common/sexputil.c (uncompress_ecc_q_in_canon_sexp): Only call memcmp
+if the lengths are equal.
+
+--
+
+GnuPG-bug-id: 7662
+Signed-off-by: Collin Funk <collin.funk1@gmail.com>
+---
+ common/sexputil.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/sexputil.c b/common/sexputil.c
+index b97e174a1..349c38333 100644
+--- a/common/sexputil.c
++++ b/common/sexputil.c
+@@ -784,11 +784,11 @@ uncompress_ecc_q_in_canon_sexp (const unsigned char *keydata,
+     return err;
+   if (!tok)
+     return gpg_error (GPG_ERR_BAD_PUBKEY);
+-  else if (toklen == 10 || !memcmp ("public-key", tok, toklen))
++  else if (toklen == 10 && !memcmp ("public-key", tok, toklen))
+     ;
+-  else if (toklen == 11 || !memcmp ("private-key", tok, toklen))
++  else if (toklen == 11 && !memcmp ("private-key", tok, toklen))
+     ;
+-  else if (toklen == 20 || !memcmp ("shadowed-private-key", tok, toklen))
++  else if (toklen == 20 && !memcmp ("shadowed-private-key", tok, toklen))
+     ;
+   else
+     return gpg_error (GPG_ERR_BAD_PUBKEY);
+-- 
+2.43.0
+
diff --git a/gnupg2.spec b/gnupg2.spec
index 08c2fb9..e216f44 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -1,6 +1,6 @@
 Name: gnupg2
 Version: 2.2.32
-Release: 7
+Release: 8
 Summary: Utility for secure communication and data storage
 
 License: GPLv3+
@@ -29,6 +29,7 @@ Patch17: backport-0003-CVE-2025-30258-gpg-Fix-a-verification-DoS-due-to-a-malici
 Patch18: backport-0004-CVE-2025-30258-gpg-Fix-regression-for-the-recent-malicious-subkey-D.patch
 Patch19: backport-0005-CVE-2025-30258-gpg-Allow-the-use-of-an-ADSK-subkey-as-ADSK-subkey.patch
 Patch20: backport-0006-CVE-2025-30258-gpg-Fix-another-regression-due-to-the-T7547-fix.patch
+Patch21: backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch
 
 BuildRequires: gcc
 BuildRequires: zlib-devel, npth-devel, texinfo
@@ -126,6 +127,9 @@ make check
 
 
 %changelog
+* Mon Aug 25 2025 yixiangzhike <yixiangzhike007@163.com> - 2.2.32-8
+- fix read buffer over-read in uncompress_ecc_q_in_canon_sexp
+
 * Tue May 6 2025 yixiangzhike <yixiangzhike007@163.com> - 2.2.32-7
 - fix CVE-2025-30258
 
-- 
Gitee