diff --git a/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch b/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch new file mode 100644 index 0000000000000000000000000000000000000000..eea985f69c2974a3827924456e6cd8fbe8d8b485 --- /dev/null +++ b/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch @@ -0,0 +1,39 @@ +From 57c1c96e7f5c2b94daba5ccc0070cf3ee52d66d9 Mon Sep 17 00:00:00 2001 +From: Collin Funk via Gnupg-devel +Date: Fri, 23 May 2025 23:52:46 -0700 +Subject: [PATCH] common: Fix read buffer over-read in + uncompress_ecc_q_in_canon_sexp. + +* common/sexputil.c (uncompress_ecc_q_in_canon_sexp): Only call memcmp +if the lengths are equal. + +-- + +GnuPG-bug-id: 7662 +Signed-off-by: Collin Funk +--- + common/sexputil.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/common/sexputil.c b/common/sexputil.c +index c7471be85..2b5d96812 100644 +--- a/common/sexputil.c ++++ b/common/sexputil.c +@@ -784,11 +784,11 @@ uncompress_ecc_q_in_canon_sexp (const unsigned char *keydata, + return err; + if (!tok) + return gpg_error (GPG_ERR_BAD_PUBKEY); +- else if (toklen == 10 || !memcmp ("public-key", tok, toklen)) ++ else if (toklen == 10 && !memcmp ("public-key", tok, toklen)) + ; +- else if (toklen == 11 || !memcmp ("private-key", tok, toklen)) ++ else if (toklen == 11 && !memcmp ("private-key", tok, toklen)) + ; +- else if (toklen == 20 || !memcmp ("shadowed-private-key", tok, toklen)) ++ else if (toklen == 20 && !memcmp ("shadowed-private-key", tok, toklen)) + ; + else + return gpg_error (GPG_ERR_BAD_PUBKEY); +-- +2.43.0 + diff --git a/gnupg2.spec b/gnupg2.spec index d78854bdede4793b35e940f3ace0898a9422574d..bf4ec2977bc00597f4b90083f16398bd7b3f1387 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,6 +1,6 @@ Name: gnupg2 Version: 2.4.3 -Release: 10 +Release: 11 Summary: Utility for secure communication and data storage License: GPLv3+ @@ -28,6 +28,7 @@ Patch17: backport-0004-CVE-2025-30258.patch Patch18: backport-0005-CVE-2025-30258.patch Patch19: backport-0006-CVE-2025-30258.patch Patch20: backport-gpg-Fix-double-free-of-internal-data.patch +Patch21: backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch BuildRequires: gcc BuildRequires: autoconf automake @@ -133,6 +134,9 @@ make check %changelog +* Thu Aug 21 2025 yixiangzhike - 2.4.3-11 +- fix read buffer over-read in uncompress_ecc_q_in_canon_sexp + * Tue May 6 2025 yixiangzhike - 2.4.3-10 - backport follow-up patch for CVE-2025-30258