From patchwork Tue Jun 30 13:03:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Kovacs X-Patchwork-Id: 91406 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DACE9C43327 for ; Tue, 30 Jun 2026 13:03:52 +0000 (UTC) Received: from MRWPR03CU001.outbound.protection.outlook.com (MRWPR03CU001.outbound.protection.outlook.com [40.107.130.1]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20506.1782824629519947459 for ; Tue, 30 Jun 2026 06:03:51 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=aDQT55vg; spf=pass (domain: est.tech, ip: 40.107.130.1, mailfrom: roland.kovacs@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gh+TSulE5CvqT4zQ6RJ1BPvoj/yw/Rkfp+IaD5WiBBYPzJeCMDd0oLoQm3J7XrvCkcSwzGcFsVmwo27FL5q6yb7M3UDPua4LExtGcmnltSNKHDKjlQyppCXvEa2yXOr86tQ+rCdI42Ds9rFa8N1VDeytVsGlSoLTd6IY585P4IFe8efSofdFInH/bXRVOXm+qdgYAjnpO5U0HZjD/FAhnrqL1X92W4v0LUSfnjAhOLeXiy/78AHHgCHdWXGYqErFfobCrY5qRY2BurxTcwPL+pIC1scCUrUuEdLDiIwMvEdl6sJAQPHN1DdpCfkmrqANr5xEunYzV+mYH2N+tvXc7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3jOGiWaTEvGVa/PCE1u+DThjSlRuGTqt55uOb/vyNqQ=; b=w5mFZTQFKMMWLMLzeU+2Epv21rlad4b08kkLCIIyIF7UfKG5n1fmwr25OZBnhRz/2PDsQ2s9OdmBXX/Zm9MRs/wnOoPxwakzNs6zcw8F4z0TRPXphMzK4wNMYS1ZgsUk5udltNBODoHwK+SvC33ovBxA4f/PqrtBGW8DZaOeBH1Yk4c+gaHsR119JaO8coloy4UmuLI/fCUWaPUCb9Dx4dXp2hZw54jDQPNqpgfVl3DGHJ49QK4NeM2xuufWvuKlA0aRRe9Zhg2hkjv+GEBvXAGfX+lKGcOBvNnY3T64Ox7tqIV2eEy45UgrucMKWaQgNpQgV8VC/gJnPh9NZ2Wqsg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3jOGiWaTEvGVa/PCE1u+DThjSlRuGTqt55uOb/vyNqQ=; b=aDQT55vgceUiqMo147NsV8EAJWcMPhVLOhoJm82DhYy77+3xZ3oOpB8dLeoeUFTdtFcFpwcmvMqbQ0aYBO5Aus4MCJ4+HjFSK2Ttk+GuTmAo1h0dn80bprNWx4oN2u6NjRRl4NBdGiVE3he6FIY4hL8Tk3BNb8vnANx/aqCOkECW9v1r1DyEYPuHA0PWz6aZq+Vj4HegNkQWzfj4Kx/Y9M6UgZUpmzNzh6DXvkiNUFFVr6ICotcmeIHeqwJkz6aBGssGEMHoM/CC9TfgOdpjXbWh+wFBtsLcV3K6Uf1A677PdBF24z/2hRIfc9VAli6tj+RgehVpM/IxGU28ZOT6VA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AM7P189MB0725.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:111::20) by PAWP189MB2777.EURP189.PROD.OUTLOOK.COM (2603:10a6:102:46a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.159.19; Tue, 30 Jun 2026 13:03:45 +0000 Received: from AM7P189MB0725.EURP189.PROD.OUTLOOK.COM ([fe80::ab4f:3151:4330:625d]) by AM7P189MB0725.EURP189.PROD.OUTLOOK.COM ([fe80::ab4f:3151:4330:625d%5]) with mapi id 15.21.0181.008; Tue, 30 Jun 2026 13:03:45 +0000 From: Roland Kovacs To: openembedded-core@lists.openembedded.org Subject: [master][PATCH 1/2] gnupg: Upgrade 2.5.17 -> 2.5.20 Date: Tue, 30 Jun 2026 15:03:40 +0200 Message-ID: <20260630130341.71014-2-roland.kovacs@est.tech> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260630130341.71014-1-roland.kovacs@est.tech> References: <20260630130341.71014-1-roland.kovacs@est.tech> X-ClientProxiedBy: LO4P123CA0680.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:351::9) To AM7P189MB0725.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:111::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM7P189MB0725:EE_|PAWP189MB2777:EE_ X-MS-Office365-Filtering-Correlation-Id: b033d9c5-87e9-4de5-bed9-08ded6a804be X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|23010399003|376014|22082099003|18002099003|11063799006|56012099006|6133799003|3023799007; X-Microsoft-Antispam-Message-Info: 1LmPN/NTCKXjMWAa/MLm2UzolKq9HY1lCZCgI+DI7XFis5TgB15MzcgwFdSUMkUmUyZE+M/eCeaTRPKnO+G7NggL3PmC3BI+XEvGpTju9IrBgITi+uzEqrO03r5SNth89gzZLbxROlqXgJd8UPuwE7qMs6AnvCnz8jJ+rK1WO+iF+scwev/4h6xLn2R95YiEkGW33PD7i3lIqeXsjP+a6CNwm9qXFLqE5riveWRaMrIiqW8dETKveXUGSj37PRGg7e/lNBjAlCDCYIIxppxSswdssT92YPjZCjQiSuapsXTUPz0PiBFynVxalgSp9GpVzJi0CBauIx5DiizI0zoQu8ZPs87VdL4rXg0yoWC62YHMA79tUrat61+9RuFvcWxH7Oh+LJOBTMKHXsLYEbbDOoH8foWzFudsv5tPx3SJCCOoXEM4GSELcF1dIIB0rhZtoQ83nw56QXGT4kPvKbsCAYeS6avJmLikVdkUhQfjc6M2vssjImkXhm9brdFNCuArneCJab08HfotBnBqsCnGhdQCCDMH4bFF98+cBt7Kj8/5GTbWRpXNWU/9ryanbTsJYCaUG+Hc2raVhjP8ZtGAVUUkVnNyRcj9AlpDwH+xqALjoa4biT7+wpcSY/T9Rxd4 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7P189MB0725.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(23010399003)(376014)(22082099003)(18002099003)(11063799006)(56012099006)(6133799003)(3023799007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lgXV6K8F/vojXDUeBxhCno1kyCuh3oDikfjX/vW+QS9x2sVQbTXZu2lhBIfiTadIyWc/8EQr+5Ii2R8Jwutcet4OFWvMS0L5gFxFYZsmtbOD44YO91+zeera6M1VBv2gZug4DjKAufmukrS7cPYoPIIlF0F8E0nWntNGwgy/z9TxnzZwJdrK8YEfMRLYV2rGe9lO5Ic/X6wNfEUUBy/5Ob1x4m/2JotVSUbYyLaGc/7a1jZm+skh6W2bEUXr0Mpmv+0zoJUqX45fV2FV+ipX752iWeUwfiDvtMISEwxr3I1GAZ0BInX7hoORfHl4Ir+AevmxqqcOoEBTL+/zj7oPVZy000ArJ1kSUHDjiCdEz6Hc7vwuxnO4kxauYxNY1HHapenC9MOOg0NtdiPqvqpvHylL9WX/o2VqnyD/21IzQZLCjXcH4Dp7JApGuA4t0JRngFbmtM9vtPZ9/+J1AXokfsRggQL1Ouv1BvmydJ1+2gXtKEOEuSKuFL6LxtRTnXkaR/Ild/h62u2qbczqHRKNFuefe8AC1X2XI0ZHaX3nElNMy2Jni7xPFDNnAGyrdfEWRoSG8i0c5T4euIbyLxCp4d4KSAOwMPPhmptrZzlb037WTQCZCXyHQQSBjrM5hOXUVdetLrF2IOS5fEh7WJ36rOuEy942emuM9GwA8oPsMWvHsgcAdIJk+pfT1DWSjNLkhd2bsnAD9Alf9gvK0AXvXc2Ghwpd3HuIF8zzUEox3R2cW4wZpx9RUJuK3ca/b0BoUw3cz6MpTpCI/XEgjbT6WX9DtwJ+zwwoRtzCK126yZgTyD3MhsKFCNPoJIyptBnUR4uWBiULhagayKJzi4wAxF3bb1oWtSvMossjgYxc5qrn6E725uLd37i8llFlOaZ3iAQBMA/XhpX2AwKEf2ynQ5VXJhODD6x0VQyaMfoCYRQSsrj8ZExNuUwCxnN7091/x7LOpKq9GRKsiFYmHuBslygRB101+ujSih7MR2Zzu1lnDiECAD+AqkRcogei6MDNvysM6GdAaznAJqjAR08ZTT0hWjmJVa2SmePKMPS1Q6wsdFKR2qyAVWwiZCIOOqJa/c0CIwU1fXNHEDiwdUaptqSUfBrqJCUMPHfkOokMP2bRMIf3H5abFe6rGHqzroVliz/b34y5OIEsO13mgjwZlV7cMaCB/h44J1UDHVBhCgacSab20IkIZSQBM23RNx9tBFjiDMft/gbe8st3PnFBUAwHnXFrm5JZxCnD7pUz5Y124r35w7axLkqTi61rTaBVYEidyW8ua8jOVDGx2UDkPhcS3nYXBjN593oihXW6iMwzvvaoy1vxl0ojTYqsOjWZm+NC+5mx5lTc5ROGkwcGLyF5Ewzs16qYT8kteT2Ojx66agG0AEJD4ww0LjMggRnYkaLfbmvXCgCEPrsWQaMSgwIRDeCpDL5RQZOBi4zxh0gLTDZ8YtJjN3PQpqLxt/jMDQBfv9DRyyYXlRxEuHpDjQXQu3biejTAW/iCSlj6yoYkSn7fyUIrESIhSgNfA1AE6XTy/XUJLA72OzymYbVlwVWxOaBtw+oIRYUZtmSRDHENbPUrh1aD1ce/NyCtFb8FD5Pgda3UjIqQTEIa4Ln0zJHY5glMOXqk7neENIhXGUCrM2myjzkoMV8qHfxxOWK4FlgocrkKmlrZ6mX1zWnC6WOe2hkSzgqQ6UfOY+B7PB6AkJdFNt4R0RK2ufkBwlNp2bLeOVxh7m7SIGbWCqTRZQ== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: b033d9c5-87e9-4de5-bed9-08ded6a804be X-MS-Exchange-CrossTenant-AuthSource: AM7P189MB0725.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jun 2026 13:03:45.6896 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: gVJqYY8pFl5NaZ+kmryWwEO7USWComufBBTng5D/vSf3v0VVCnMD0ty7R258rJ9CtDq3QMDtg6QHv+CQ1q34Dg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWP189MB2777 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 13:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239889 Bug fixes included in this release: - gpg: Fix wrong assertion failure which could very rarely occur during key signature checking. [rG693f5642f6] - gpg: Consider certify-only keys for revocation signature check. [T8196] - gpgsm: Fix possible double free in the CMS parser. [T8240] - gpgsm: Fix possible too early removal of ephemeral keys. [T8236] - gpgsm: Avoid emitting a final FAILURE status line if --status-fd is not used. [rG69c27fe377] - gpgsm: Fix a regression in 2.5.19 for password encrypted GCM data. [rG60a823c97b] - agent: Fix not using cache for pinentry loopback. [rGd4b608a31f] - agent: Fix command PUT_SECRET by saving input line. [rG1875bc185e] - keyboxd: Mark keys searched but not imported via LDAP correctly as ephemeral. [T8048] - scdaemon: Avoid buffer overflow with SC-HSM cards providing RSA keys > 2k. [T8244] - dirmngr: Fix uninitialized use of the dns_any union in dns_rr_cmp. [T8251] Release-info: https://dev.gnupg.org/T7997 Signed-off-by: Roland Kovacs --- .../recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename meta/recipes-support/gnupg/{gnupg_2.5.17.bb => gnupg_2.5.20.bb} (95%) diff --git a/meta/recipes-support/gnupg/gnupg_2.5.17.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb similarity index 95% rename from meta/recipes-support/gnupg/gnupg_2.5.17.bb rename to meta/recipes-support/gnupg/gnupg_2.5.20.bb index fd6588769c..a1a50e2384 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.17.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -16,6 +16,7 @@ inherit autotools gettext texinfo pkgconfig upstream-version-is-even require drop-unknown-suffix.inc UPSTREAM_CHECK_URI = "https://gnupg.org/ftp/gcrypt/gnupg/" +SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ @@ -24,7 +25,7 @@ SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for- file://relocate.patch" SRC_URI:append:class-nativesdk = " file://relocate.patch" -SRC_URI[sha256sum] = "2c1fbe20e2958fd8fb53cf37d7c38e84a900edc0d561a1c4af4bc3a10888685d" +SRC_URI[sha256sum] = "6461266e99c308419a379abe6c356d54c214136c4589bd65951091138989ffc6" EXTRA_OECONF = "--disable-ldap \ --disable-ccid-driver \ From patchwork Tue Jun 30 13:03:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Kovacs X-Patchwork-Id: 91407 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54BFAC44500 for ; Tue, 30 Jun 2026 13:03:52 +0000 (UTC) Received: from MRWPR03CU001.outbound.protection.outlook.com (MRWPR03CU001.outbound.protection.outlook.com [40.107.130.1]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20506.1782824629519947459 for ; Tue, 30 Jun 2026 06:03:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=EcaFzWjr; spf=pass (domain: est.tech, ip: 40.107.130.1, mailfrom: roland.kovacs@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=do6g0K9x2gYkgffV0yi9A56m+GXak7yESPLA84B4HiZBk+/CfLFlr4v3Tp76KHtnCTz5+5BEB0BMRlGF9d0a25fHzyRcm+DkfyhlyWSSkJ+F1TeZnZEw72FC7yFu+4UV1T1mKO6aldUdz8MDiRq71j3vPQlsR4+1fifBRed4Svk8yFEwKG6T5pS+iFLKScUnMGkpHSbgLP9CfvQwfx7bkyLEtYrxWPckZeGW3089aKakTUwTQvOPqsZr9Bvl34wBW7Fr3dJDpVcIdzt48m5BiD72giZY1es+67q8uSTyDEuhXnN8Uo2gvsuzv4l+N8HzIk7i8mmZ4cJFpbpM2bPo4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=O45B27bf0nzfkMQDPrlTipsoPzQ3bZ4zF9xmts+L7mA=; b=vxwXeqY4PnJMVjjx71WveJWaygkOgtke1+ru7UclaJaDWvEfxGtMmqAXj23pG6BJD0Z/+P8KUt/Yqyt5XvoFnRuo6qrfURHM7wZaWhTHNS1exHmUj46ibrZbtAwGEgLECcFtozIMEhr0MbNzpUwPqGMT0Gr/oDRH3cwlvEFg6p6CWVLRKQFGbA8+mpdYBoYIvPas2vIpufBOyhYQLyZKry2FZX+SJ0CzETjJvtuS506gXqv3Td+fF3YPRCwfY8dz8bS3ap5tzRT9XOq1RQahJupx41YcOs75YE0ECCOq5eDju67zjx04bQpE5gayYG0Y+nRgElLBKcXJFVEiWIvZeQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O45B27bf0nzfkMQDPrlTipsoPzQ3bZ4zF9xmts+L7mA=; b=EcaFzWjriQ70SOoWN8HLIg5qRig1ljyU/CKQdPQ3rfw7iAAwH3Xb/r048KzIgC2JgttOqpBj6AzrDpHrYvg7DbrwSXtH9MCNrOj2gsnolGpz5X0lz/s3fbSR2K6a91F76Ad2N4witEDzZ5yQ0yh4T8GGIhRGD/fwJ3BlSli0t2IUAwkoCSxoomfqykSj4icbfBtqXVWB1JTK0HJS+EKqNc89VFL/bYj1uJcQwG/SN+Cc/b7yPAzXnWG8r9RyxHUmOW61pOFyh1PN8f2lIFsjYBRJEY5JuFsmZktdj/GwrTc3wcOSwGTzFVmJDGd3x14qkoPMu0o1/ccf5wrD5+yQIA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AM7P189MB0725.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:111::20) by PAWP189MB2777.EURP189.PROD.OUTLOOK.COM (2603:10a6:102:46a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.159.19; Tue, 30 Jun 2026 13:03:47 +0000 Received: from AM7P189MB0725.EURP189.PROD.OUTLOOK.COM ([fe80::ab4f:3151:4330:625d]) by AM7P189MB0725.EURP189.PROD.OUTLOOK.COM ([fe80::ab4f:3151:4330:625d%5]) with mapi id 15.21.0181.008; Tue, 30 Jun 2026 13:03:47 +0000 From: Roland Kovacs To: openembedded-core@lists.openembedded.org Subject: [master][PATCH 2/2] gnupg: fix CVE-2026-57062 Date: Tue, 30 Jun 2026 15:03:41 +0200 Message-ID: <20260630130341.71014-3-roland.kovacs@est.tech> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260630130341.71014-1-roland.kovacs@est.tech> References: <20260630130341.71014-1-roland.kovacs@est.tech> X-ClientProxiedBy: LO4P123CA0437.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1a9::10) To AM7P189MB0725.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:111::20) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM7P189MB0725:EE_|PAWP189MB2777:EE_ X-MS-Office365-Filtering-Correlation-Id: 4109206b-1837-48fb-d5c0-08ded6a805c0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|23010399003|376014|22082099003|18002099003|11063799006|56012099006|3023799007; X-Microsoft-Antispam-Message-Info: Zn0uqpdXK3WGjljGUhTjxY/eUjBcQI0NUhGBJoPWg9ODvE4VFpMJ9G9M2YnaSRthCHtDOSiGv991s+jt48rzpq0kOmos3VzPX7S0NQ1gdhn0RUNUnKYY6Q1hNWn4e3vDIyMyKZVuGekrHsBv6nMsZFUE/P0OXUQoo+p3si76ud86nV5b+yqjnCO6m6CWR0aKU8yepNCoYGBRGSifM/8Oav5+A5RqDPZDdJXvgtdMJkcDvS79O+Cu4Wo+ZoPRrKJQV2CkLmIM3GrcA4kLK8RYxpg+Bke323ztmWu+gZrrUDV/fHIIiI1+7r3ggJ4ZiddZfKKx8dWXNV+xDghSkddPC9sYoTP/fw+cvSmTXy6OIGNsHd4OOyfu84ajiShjhqmVakrr93Mr+wvJ/+tFaNmdtNbs7vtBtOV291NglN04d3NyI9IZOnCMbp9rZPn8q3/bZ5m62Jh5M3J46QMWgCE7NzLduHuGmSNJiGm+STl194anlTc2fgWnlRvaM7iq2ru1pweclOJbmgVcpcKKUtUG/VM4niw/CrcfKtpxdts2m5OXP0+RlEDCMyphCMz7iOG5ytwsO28x69ThxsJahVspW0jzLd6wPXNVpxyHdlCne3fNEr32ax2jCuhn1zmqFM2ACyvVndcuGDyprzKKKFu50TYp3dNSF2OSLU0RAjLHXwk= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7P189MB0725.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(23010399003)(376014)(22082099003)(18002099003)(11063799006)(56012099006)(3023799007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: BhNKWNE8ujy5gMfuGJWShCAnDQUEcBvKX3oKcEh/W91qfEyXkRg+gPcBhkn/QiB54JBeJFMPE/BKyWK4DOdtdkb0DCE5uTIf23ZKuN1k7WENR8rVH2krPxHgupmLjbQUBdFYv99ih3ulurYGdIgpql6bckNkimY40WHR9O6SZbmfxWSkKaRsRn/7WIl8BuZoy5jf8qQEx7nm4/gUghdEOALNOaQZ65WXhwbMQe4sGOp3C+QXn6+LglD15WThgsJGga1Jjf0FLO4IfuYVnd/PtvUwQR+HiXoHBdlbdk9+VoFkVh8jcdHIZP+YIKMTw61pD6MqjmQNeg4QvFA7GmaV62yBsRgcUUKIJjHhxD236D45iPleWyBcZC27pmI2/5mG2EpkPVGz9cAgWt0qIkc1uRy1gAsEAjZkDBSwIY+NadnBEcW9ee9jAi34OoP0716GodbuOcGKvycUIDho7IIbBmJUHPfKPBTf820UcMosaDqYpici+Tc7A992AWLKmYLgku8Ln2Uca2qL/MeD3An+vilTmuWroFCRrKVlY+m+S/qIXoI9ubU/9TUNJ1kAlr5T7W8+By4lnL9OXhDtJJ/X62bW4ga1KnANt14BnlEU6CzID/qbtObUzFs9Kxxqz7m01IlWL3U6Jbd4ea8Zqn10tKWI0ziMS0tbMY1DvxO6fWar7RUgNnUUxMRnuvQJlt9XZdwWebj23kZTYfIinXMTI1qVfB924B5j+neHc4k77PTfNb7eqNgxa3LQpbp1PeZm19posxoswy4m9nw3qNzOALoA4PZuDF1JRF1oB6v9CEA6YZZTZZ+MMJCNOQRbA9gt/0hgDJSFl9hhwuaI+l+dN+KG59VyRsiG1iP40bp0qHNCQrv8Ow3my5wd0LqoEzo2BNGF2AQKOV2RfatruH8RWehQW6BW1+xZEl7aIHjyLCiIVWnjDa1ywX4P85XloMOjOLJYVtqj0qDEXJr3Z7qrakk8bDQ40Fl46uJRtqcogKagu1SrhnuEQ52E5Fmjb75uosZs9/PUxvQZQwzrhGxsN7XxnItPj7chpICoTmvLZLKZ0z6EHJxAycQThlynAtKmwmmPGmj2BLWlpJ23Cw+WjuK/ziSmtkOeIOyZ1ew74Gj5Q6TlSfDhvQ0v/Gybdpo64pU5Hg3LkgeLFojnDGzLJu8seAXjHg0E+dY3mIopYcv5bST7Yop6jVxCHKtQ0mmUA+VF6pGOP9moa7poVNa5iXeoyGtS31VEALOoYMvRNNUGcdV0TFLzp8FqgTtg/dG0t/7MTT7wbhMFfXHMlH2lQijTx9+CBu0pzyTk5ztUIBVClbX7iuNKDngxsc1qHdaFeuejFG60dIuBh7bUZZfo3ZwSR4APSkj/EnYKcRtW6eWsXaQjXWcsRzaXXOARKJoczbkuhEwdpYZ0Du6Oo17vPh37FilBkSN5Hulsdq+YTylLaJfeqridP0CYKTXdbCFNnu2Q9pehOGW4OTSTEq7Qss7K2um2szSWXKeBVYc/DcZj7TnWm7U15SOtAHD+tcs8UFZV5/qOpVc1KBNRk2iAdrJmtpWv15anmsjX7reWbw3cyh4BlJ77To0CX2NMUHnPvWc6eFGtmc9TeI1IH7zjilz6qEwvxEY1LetXg2GiRV57IA4av78oZMauD4m0HGoxOvo5ivFxPgifXZ9QCbfxlMYlf9guFqd8cI06x7mZ1OLhdhJUO3Mt5viqd8LKNFYsBg/xAhp/uWp6WSVVgskj5A== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 4109206b-1837-48fb-d5c0-08ded6a805c0 X-MS-Exchange-CrossTenant-AuthSource: AM7P189MB0725.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jun 2026 13:03:47.4945 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: efrFLIlVzaF+QEDEZRHg8U1WS7AAQFulYuxV8OwS7zWlHI04/k/oI6Mki5dVtoVID6oBMWepGQk8F9HXfNDOAA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWP189MB2777 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 13:03:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/239890 CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. Signed-off-by: Roland Kovacs --- .../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++ meta/recipes-support/gnupg/gnupg_2.5.20.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch new file mode 100644 index 0000000000..f298b6e9a8 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch @@ -0,0 +1,43 @@ +From d586f50ee849c8cbeaea47b50c64446c1becbf9b Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Thu, 18 Jun 2026 10:51:34 +0200 +Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption. + +* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen. +-- + +Reported-by: Thai Duong +This is similar to OpenSSL's +CVE-id: CVE-2026-34182 + +CVE: CVE-2026-57062 +Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4] + +Signed-off-by: Roland Kovacs +--- + sm/decrypt.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sm/decrypt.c b/sm/decrypt.c +index 20fb96060..92a33c6e6 100644 +--- a/sm/decrypt.c ++++ b/sm/decrypt.c +@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp) + } + if (DBG_CRYPTO) + log_printhex (authtag, authtaglen, "Authtag ...:"); +- rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); ++ if (authtaglen < 12) ++ { ++ log_info ("authentication tag is too short (%zu octets)\n", ++ authtaglen); ++ rc = gpg_error (GPG_ERR_CHECKSUM); ++ } ++ else ++ rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); + xfree (authtag); + if (rc) + log_error ("data is not authentic: %s\n", gpg_strerror (rc)); +-- +2.34.1 + diff --git a/meta/recipes-support/gnupg/gnupg_2.5.20.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb index a1a50e2384..e373265c48 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.20.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -20,6 +20,7 @@ SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ + file://CVE-2026-57062.patch \ " SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ file://relocate.patch"