[scarthgap,07/12] gnupg: fix CVE-2026-24882

Message ID	20260409061639.1688205-8-jinfeng.wang.cn@windriver.com
State	New
Headers	show Return-Path: <Jinfeng.Wang.CN@windriver.com> ip: 205.220.178.238, mailfrom: prvs=8559144404=jinfeng.wang.cn@windriver.com) From: <jinfeng.wang.cn@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [scarthgap][PATCH 07/12] gnupg: fix CVE-2026-24882 Date: Thu, 9 Apr 2026 14:16:34 +0800 Message-ID: <20260409061639.1688205-8-jinfeng.wang.cn@windriver.com> In-Reply-To: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com> References: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	Fix multiple CVEs \| expand [scarthgap,00/12] Fix multiple CVEs [scarthgap,01/12] gi-docgen: fix CVE-2025-11687 [scarthgap,02/12] libsoup: fix CVE-2025-14523/CVE-2025-32049 [scarthgap,03/12] libsoup-2.4: fix CVE-2025-14523/CVE-2025-32049 [scarthgap,04/12] python3-ply: fix CVE-2025-56005 [scarthgap,05/12] python3-pyasn1: fix CVE-2026-23490 [scarthgap,06/12] python3-wheel: fix CVE-2026-24049 [scarthgap,07/12] gnupg: fix CVE-2026-24882 [scarthgap,08/12] libxml2: Fix CVE-2026-1757 [scarthgap,09/12] python3-pyasn1: fix CVE-2026-30922 [scarthgap,10/12] busybox: fix CVE-2026-26157 and CVE-2026-26158 [scarthgap,11/12] zlib: upgrade 1.3.1 -> 1.3.2 [scarthgap,12/12] libpcap: 1.10.4 -> 1.10.6

Message ID

20260409061639.1688205-8-jinfeng.wang.cn@windriver.com

State

New

Headers

From: <jinfeng.wang.cn@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [scarthgap][PATCH 07/12] gnupg: fix CVE-2026-24882
Date: Thu, 9 Apr 2026 14:16:34 +0800
Message-ID: <20260409061639.1688205-8-jinfeng.wang.cn@windriver.com>
In-Reply-To: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com>
References: <20260409061639.1688205-1-jinfeng.wang.cn@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

Fix multiple CVEs | expand

Commit Message

Wang, Jinfeng (CN) April 9, 2026, 6:16 a.m. UTC

From: Guocai He <guocai.he.cn@windriver.com>

Backport patch to fix CVE-2026-24882 per reference [1] [2].

[1] https://security-tracker.debian.org/tracker/CVE-2026-24882
[2] https://dev.gnupg.org/T8045

Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
---
 .../gnupg/gnupg/CVE-2026-24882-0001.patch     | 70 +++++++++++++++++++
 .../gnupg/gnupg/CVE-2026-24882-0002.patch     | 47 +++++++++++++
 meta/recipes-support/gnupg/gnupg_2.4.8.bb     |  2 +
 3 files changed, 119 insertions(+)
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0001.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0002.patch

diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0001.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0001.patch
new file mode 100644
index 0000000000..6e6d44c372
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0001.patch
@@ -0,0 +1,70 @@ 
+From d07e2f19134129d59014fe181642cd122dc2e29f Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 26 Jan 2026 11:13:44 +0100
+Subject: [PATCH 1/2] tpm: Fix possible buffer overflow in PKDECRYPT
+
+* tpm2d/tpm2.c (tpm2_ecc_decrypt): Bail out on too long CIPHERTEXT.
+(tpm2_rsa_decrypt): Ditto.
+--
+
+Cherry pick master commit of:
+	93fa34d9a346020355cd51d54102d30d4f177323
+
+GnuPG-bug-id: 8045
+Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
+Reported-by: OpenAI Security Research
+
+CVE: CVE-2026-24882
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/01c130031]
+
+Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
+---
+ tpm2d/tpm2.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index 3e908dd..cd0347c 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -917,10 +917,20 @@ tpm2_ecc_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   size_t len;
+   int ret;
+ 
++#if defined(TPM2_MAX_ECC_KEY_BYTES) /* Intel stack */
++  if (ciphertext_len > 2*TPM2_MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_ECC_KEY_BYTES)    /* IBM stack */
++  if (ciphertext_len > 2*MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   /* This isn't really a decryption per se.  The ciphertext actually
+    * contains an EC Point which we must multiply by the private key number.
+    *
+-   * The reason is to generate a diffe helman agreement on a shared
++   * The reason is to generate a diffie-hellman agreement on a shared
+    * point.  This shared point is then used to generate the per
+    * session encryption key.
+    */
+@@ -976,6 +986,16 @@ tpm2_rsa_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   TPM_HANDLE ah;
+   char *auth;
+ 
++#if defined(TPM2_MAX_RSA_KEY_BYTES)  /* Intel stack */
++  if (ciphertext_len > TPM2_MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_RSA_KEY_BYTES)     /* IBM stack */
++  if (ciphertext_len > MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   inScheme.scheme = TPM_ALG_RSAES;
+   /*
+    * apparent gcrypt error: occasionally rsa ciphertext will
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0002.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0002.patch
new file mode 100644
index 0000000000..2e872ea491
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-24882-0002.patch
@@ -0,0 +1,47 @@ 
+From e8eaa9bf018d3276d613f371207c91c1ffa3e16c Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 12 Feb 2026 11:51:17 +0900
+Subject: [PATCH 2/2] agent: Fix the regression in pkdecrypt with TPM RSA.
+
+* agent/divert-tpm2.c (divert_tpm2_pkdecrypt): Care about additional
+0x00.
+
+--
+
+Cherry pick master commit of:
+	6eed3959303c81c9699fe9273030e480732f72be
+
+GnuPG-bug-id: 8045
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+CVE: CVE-2026-24882
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/555a9f5b3]
+
+Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
+---
+ agent/divert-tpm2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/agent/divert-tpm2.c b/agent/divert-tpm2.c
+index 2496d09..5b5bd14 100644
+--- a/agent/divert-tpm2.c
++++ b/agent/divert-tpm2.c
+@@ -135,6 +135,15 @@ divert_tpm2_pkdecrypt (ctrl_t ctrl,
+       if (!smatch (&s, n, "a"))
+         return gpg_error (GPG_ERR_UNKNOWN_SEXP);
+       n = snext (&s);
++      /* NOTE: gpg-agent protocol uses signed integer for RSA (%m in
++       * MPI), where 0x00 is added when the MSB is 1.  TPM2 uses
++       * unsigned integer.  We need to remove this 0x00, or else
++       * it may result GPG_ERR_TOO_LARGE in tpm2daemon.  */
++      if (!*s && (n&1))
++        {
++          s++;
++          n--;
++        }
+     }
+   else if (smatch (&s, n, "ecdh"))
+     {
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.4.8.bb b/meta/recipes-support/gnupg/gnupg_2.4.8.bb
index 2d27f4454e..6a865ed57d 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.8.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.8.bb
@@ -19,6 +19,8 @@  SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
            file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
            file://CVE-2025-68973.patch \
+           file://CVE-2026-24882-0001.patch \
+           file://CVE-2026-24882-0002.patch \
            "
 SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                 file://relocate.patch"

[scarthgap,07/12] gnupg: fix CVE-2026-24882

Commit Message

Patch