diff --git a/backport-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-k.patch b/backport-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-k.patch new file mode 100644 index 0000000000000000000000000000000000000000..966fc9009b4f8cc9022f2a9e0e1c820f17ec053c --- /dev/null +++ b/backport-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-k.patch @@ -0,0 +1,46 @@ +From ddb012be7fe2ab0eb713b33c50c22ac8f194fa6c Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 22 Oct 2025 11:19:55 +0200 +Subject: [PATCH] gpg: Avoid potential downgrade to SHA1 in 3rd party key + signatures. + +* g10/sig-check.c (check_signature_over_key_or_uid): Always initialize +IS_SELFSIG because it is later used to detect SHA1 non-selfsignatures. +-- + +The value of is_selfsig was also used to decide whether to reject a a +SHA_signature if it is not a self-signature. However, a code path +exists where is_selfsig was set to stub_is_selfsig and not initilaized +in this case. + +Fixes-commit: c4f2d9e3e1d77d2f1f168764fcdfed32f7d1dfc4 +Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a +--- + g10/sig-check.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/g10/sig-check.c b/g10/sig-check.c +index ed83c23f9..17de90184 100644 +--- a/g10/sig-check.c ++++ b/g10/sig-check.c +@@ -890,7 +890,7 @@ check_key_signature (ctrl_t ctrl, kbnode_t root, kbnode_t node, + * be found. Returns GPG_ERR_BAD_SIGNATURE if the signature is bad. + * Other errors codes may be returned if something else goes wrong. + * +- * IF IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a ++ * If IS_SELFSIG is not NULL, sets *IS_SELFSIG to 1 if this is a + * self-signature (by the key's primary key) or 0 if not. + * + * If RET_PK is not NULL, returns a copy of the public key that +@@ -910,6 +910,8 @@ check_signature_over_key_or_uid (ctrl_t ctrl, PKT_public_key *signer, + if (!is_selfsig) + is_selfsig = &stub_is_selfsig; + ++ *is_selfsig = 0; /* Init early to comply with function description. */ ++ + rc = openpgp_pk_test_algo (sig->pubkey_algo); + if (rc) + return rc; +-- +2.43.0 + diff --git a/gnupg2.spec b/gnupg2.spec index 2cb47d9394b79be97aef257ad485625b15a63bc6..a30106720c679d80336a4906eebc19995f2d0c04 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,6 +1,6 @@ Name: gnupg2 Version: 2.4.3 -Release: 8 +Release: 9 Summary: Utility for secure communication and data storage License: GPLv3+ @@ -28,6 +28,7 @@ Patch17: backport-0005-CVE-2025-30258.patch Patch18: backport-0006-CVE-2025-30258.patch Patch19: backport-gpg-Fix-double-free-of-internal-data.patch Patch20: backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch +Patch21: backport-gpg-Avoid-potential-downgrade-to-SHA1-in-3rd-party-k.patch BuildRequires: gcc BuildRequires: zlib-devel, npth-devel, texinfo @@ -129,6 +130,9 @@ make check %changelog +* Thu Oct 23 2025 yixiangzhike - 2.4.3-9 +- avoid potential downgrade to SHA1 in 3rd party key signatures + * Thu Aug 21 2025 yixiangzhike - 2.4.3-8 - fix read buffer over-read in uncompress_ecc_q_in_canon_sexp