From 9f96fcacf6f5a95118e39e89ceed094508812c6b Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Tue, 6 May 2025 11:11:43 +0800 Subject: [PATCH] Backport follow-up patch for CVE-2025-30258 --- backport-0006-CVE-2025-30258.patch | 48 ++++++++++++++++++++++++++++++ gnupg2.spec | 8 +++-- 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 backport-0006-CVE-2025-30258.patch diff --git a/backport-0006-CVE-2025-30258.patch b/backport-0006-CVE-2025-30258.patch new file mode 100644 index 0000000..71ca241 --- /dev/null +++ b/backport-0006-CVE-2025-30258.patch @@ -0,0 +1,48 @@ +From 9b7c067717d815e16f9ea3cec88bca09a6cce7cb Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Fri, 2 May 2025 11:11:05 +0200 +Subject: [PATCH] gpg: Fix another regression due to the T7547 fix. + +* g10/getkey.c (get_pubkey_for_sig): Keep a requested +PUBKEY_USAGE_CERT. +(finish_lookup): For correctness in future use cases allow +PUBKEY_USAGE_CERT to also trigger verify mode. +-- + +The case here was that a cert-only primary key was removed with +export-clean. + +GnuPG-bug-id: 7583 +--- + g10/getkey.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/g10/getkey.c b/g10/getkey.c +index e3264062f..ae0e00220 100644 +--- a/g10/getkey.c ++++ b/g10/getkey.c +@@ -341,8 +341,10 @@ get_pubkey_for_sig (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig, + /* Make sure to request only keys cabable of signing. This makes + * sure that a subkey w/o a valid backsig or with bad usage flags + * will be skipped. We also request the verification mode so that +- * expired and reoked keys are returned. */ +- pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY); ++ * expired and revoked keys are returned. We keep only a requested ++ * CERT usage in PK for the sake of key signatures. */ ++ pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY ++ | (pk->req_usage & PUBKEY_USAGE_CERT)); + + /* First try the ISSUER_FPR info. */ + fpr = issuer_fpr_raw (sig, &fprlen); +@@ -3736,7 +3738,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, + /* The verify mode is used to change the behaviour so that we can + * return an expired or revoked key for signature verification. */ + verify_mode = ((req_usage & PUBKEY_USAGE_VERIFY) +- && (req_usage & PUBKEY_USAGE_SIG)); ++ && (req_usage & (PUBKEY_USAGE_CERT|PUBKEY_USAGE_SIG))); + + #define USAGE_MASK (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT) + req_usage &= USAGE_MASK; +-- +2.43.0 + diff --git a/gnupg2.spec b/gnupg2.spec index 1bbd8cd..c687ab3 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,6 +1,6 @@ Name: gnupg2 Version: 2.4.3 -Release: 6 +Release: 7 Summary: Utility for secure communication and data storage License: GPLv3+ @@ -25,7 +25,8 @@ Patch14: backport-0002-CVE-2025-30258.patch Patch15: backport-0003-CVE-2025-30258.patch Patch16: backport-0004-CVE-2025-30258.patch Patch17: backport-0005-CVE-2025-30258.patch -Patch18: backport-gpg-Fix-double-free-of-internal-data.patch +Patch18: backport-0006-CVE-2025-30258.patch +Patch19: backport-gpg-Fix-double-free-of-internal-data.patch BuildRequires: gcc BuildRequires: zlib-devel, npth-devel, texinfo @@ -127,6 +128,9 @@ make check %changelog +* Tue May 6 2025 yixiangzhike - 2.4.3-7 +- backport follow-up patch for CVE-2025-30258 + * Thu Mar 27 2025 yixiangzhike - 2.4.3-6 - fix CVE-2025-30258 -- Gitee