From dd1b06b796f157a101ff7448129a59b088c648a0 Mon Sep 17 00:00:00 2001
From: yixiangzhike <yixiangzhike007@163.com>
Date: Thu, 21 Aug 2025 16:18:21 +0800
Subject: [PATCH] Fix read buffer over-read in uncompress_ecc_q_in_canon_sexp

(cherry picked from commit efbf44945ad6d354c73abf1bb216b626f6711a8e)
---
 ...buffer-over-read-in-uncompress_ecc_q.patch | 39 +++++++++++++++++++
 gnupg2.spec                                   |  6 ++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch

diff --git a/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch b/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch
new file mode 100644
index 0000000..eea985f
--- /dev/null
+++ b/backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch
@@ -0,0 +1,39 @@
+From 57c1c96e7f5c2b94daba5ccc0070cf3ee52d66d9 Mon Sep 17 00:00:00 2001
+From: Collin Funk via Gnupg-devel <gnupg-devel@gnupg.org>
+Date: Fri, 23 May 2025 23:52:46 -0700
+Subject: [PATCH] common: Fix read buffer over-read in
+ uncompress_ecc_q_in_canon_sexp.
+
+* common/sexputil.c (uncompress_ecc_q_in_canon_sexp): Only call memcmp
+if the lengths are equal.
+
+--
+
+GnuPG-bug-id: 7662
+Signed-off-by: Collin Funk <collin.funk1@gmail.com>
+---
+ common/sexputil.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/sexputil.c b/common/sexputil.c
+index c7471be85..2b5d96812 100644
+--- a/common/sexputil.c
++++ b/common/sexputil.c
+@@ -784,11 +784,11 @@ uncompress_ecc_q_in_canon_sexp (const unsigned char *keydata,
+     return err;
+   if (!tok)
+     return gpg_error (GPG_ERR_BAD_PUBKEY);
+-  else if (toklen == 10 || !memcmp ("public-key", tok, toklen))
++  else if (toklen == 10 && !memcmp ("public-key", tok, toklen))
+     ;
+-  else if (toklen == 11 || !memcmp ("private-key", tok, toklen))
++  else if (toklen == 11 && !memcmp ("private-key", tok, toklen))
+     ;
+-  else if (toklen == 20 || !memcmp ("shadowed-private-key", tok, toklen))
++  else if (toklen == 20 && !memcmp ("shadowed-private-key", tok, toklen))
+     ;
+   else
+     return gpg_error (GPG_ERR_BAD_PUBKEY);
+-- 
+2.43.0
+
diff --git a/gnupg2.spec b/gnupg2.spec
index d78854b..bf4ec29 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -1,6 +1,6 @@
 Name: gnupg2
 Version: 2.4.3
-Release: 10
+Release: 11
 Summary: Utility for secure communication and data storage
 
 License: GPLv3+
@@ -28,6 +28,7 @@ Patch17: backport-0004-CVE-2025-30258.patch
 Patch18: backport-0005-CVE-2025-30258.patch
 Patch19: backport-0006-CVE-2025-30258.patch
 Patch20: backport-gpg-Fix-double-free-of-internal-data.patch
+Patch21: backport-common-Fix-read-buffer-over-read-in-uncompress_ecc_q.patch
 
 BuildRequires: gcc
 BuildRequires: autoconf automake
@@ -133,6 +134,9 @@ make check
 
 
 %changelog
+* Thu Aug 21 2025 yixiangzhike <yixiangzhike007@163.com> - 2.4.3-11
+- fix read buffer over-read in uncompress_ecc_q_in_canon_sexp
+
 * Tue May 6 2025 yixiangzhike <yixiangzhike007@163.com> - 2.4.3-10
 - backport follow-up patch for CVE-2025-30258
 
-- 
Gitee