From 1955396dd275f32c8505ab22faa75bd8ed516668 Mon Sep 17 00:00:00 2001
From: Yue Tao <yue.tao@windriver.com>
Date: Tue, 12 Jul 2022 14:42:30 +0800
Subject: gnupg: upgrade to 2.3.7 to fix CVE-2022-34903

(From OE-Core rev: f511d6ca6db17c585532243f4c015692dfb2b727)

Signed-off-by: Yue Tao <yue.tao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-support/gnupg/gnupg_2.3.6.bb | 87 -------------------------------
 meta/recipes-support/gnupg/gnupg_2.3.7.bb | 87 +++++++++++++++++++++++++++++++
 2 files changed, 87 insertions(+), 87 deletions(-)
 delete mode 100644 meta/recipes-support/gnupg/gnupg_2.3.6.bb
 create mode 100644 meta/recipes-support/gnupg/gnupg_2.3.7.bb

(limited to 'meta/recipes-support/gnupg')

diff --git a/meta/recipes-support/gnupg/gnupg_2.3.6.bb b/meta/recipes-support/gnupg/gnupg_2.3.6.bb
deleted file mode 100644
index f35eb8c75a..0000000000
--- a/meta/recipes-support/gnupg/gnupg_2.3.6.bb
+++ /dev/null
@@ -1,87 +0,0 @@
-SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)"
-DESCRIPTION = "A complete and free implementation of the OpenPGP standard \
-as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt \
-and sign your data and communications; it features a versatile key \
-management system, along with access modules for all kinds of public \
-key directories."
-HOMEPAGE = "http://www.gnupg.org/"
-LICENSE = "GPL-3.0-only & LGPL-3.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=189af8afca6d6075ba6c9e0aa8077626 \
-                    file://COPYING.LGPL3;md5=a2b6bf2cb38ee52619e60f30a1fc7257"
-
-DEPENDS = "npth libassuan libksba zlib bzip2 readline libgcrypt"
-
-inherit autotools gettext texinfo pkgconfig
-
-UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
-SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
-           file://0002-use-pkgconfig-instead-of-npth-config.patch \
-           file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
-           file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
-           "
-SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
-                                file://relocate.patch"
-SRC_URI:append:class-nativesdk = " file://relocate.patch"
-
-SRC_URI[sha256sum] = "21f7fe2fc5c2f214184ab050977ec7a8e304e58bfae2ab098fec69f8fabda9c1"
-
-EXTRA_OECONF = "--disable-ldap \
-		--disable-ccid-driver \
-		--with-zlib=${STAGING_LIBDIR}/.. \
-		--with-bzip2=${STAGING_LIBDIR}/.. \
-		--with-readline=${STAGING_LIBDIR}/.. \
-		--with-mailprog=${sbindir}/sendmail \
-		--enable-gpg-is-gpg2 \
-               "
-
-# A minimal package containing just enough to run gpg+gpgagent (E.g. use gpgme in opkg)
-PACKAGES =+ "${PN}-gpg"
-FILES:${PN}-gpg = " \
-	${bindir}/gpg \
-	${bindir}/gpg2 \
-	${bindir}/gpg-agent \
-"
-
-# Normal package (gnupg) should depend on minimal package (gnupg-gpg)
-# to ensure all tools are included. This is done only in non-native
-# builds. Native builds don't have sub-packages, so appending RDEPENDS
-# in this case breaks recipe parsing.
-RDEPENDS:${PN} += "${@ "" if ("native" in d.getVar("PN")) else (d.getVar("PN") + "-gpg")}"
-
-RRECOMMENDS:${PN} = "pinentry"
-
-do_configure:prepend () {
-	# Else these could be used in prefernce to those in aclocal-copy
-	rm -f ${S}/m4/gpg-error.m4
-	rm -f ${S}/m4/libassuan.m4
-	rm -f ${S}/m4/ksba.m4
-	rm -f ${S}/m4/libgcrypt.m4
-}
-
-do_install:append() {
-	ln -sf gpg2 ${D}${bindir}/gpg
-	ln -sf gpgv2 ${D}${bindir}/gpgv
-}
-
-do_install:append:class-native() {
-	create_wrappers ${STAGING_BINDIR_NATIVE}
-}
-
-do_install:append:class-nativesdk() {
-	create_wrappers ${SDKPATHNATIVE}${bindir_nativesdk}
-}
-
-create_wrappers() {
-	for i in gpg2 gpgconf gpg-agent gpg-connect-agent; do
-		create_wrapper ${D}${bindir}/$i GNUPG_BINDIR=$1
-	done
-}
-
-PACKAGECONFIG ??= "gnutls"
-PACKAGECONFIG[gnutls] = "--enable-gnutls, --disable-gnutls, gnutls"
-PACKAGECONFIG[sqlite3] = "--enable-sqlite, --disable-sqlite, sqlite3"
-
-BBCLASSEXTEND = "native nativesdk"
-
-lcl_maybe_fortify:mipsarch = ""
-
diff --git a/meta/recipes-support/gnupg/gnupg_2.3.7.bb b/meta/recipes-support/gnupg/gnupg_2.3.7.bb
new file mode 100644
index 0000000000..da2b1c4deb
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg_2.3.7.bb
@@ -0,0 +1,87 @@
+SUMMARY = "GNU Privacy Guard - encryption and signing tools (2.x)"
+DESCRIPTION = "A complete and free implementation of the OpenPGP standard \
+as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt \
+and sign your data and communications; it features a versatile key \
+management system, along with access modules for all kinds of public \
+key directories."
+HOMEPAGE = "http://www.gnupg.org/"
+LICENSE = "GPL-3.0-only & LGPL-3.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=189af8afca6d6075ba6c9e0aa8077626 \
+                    file://COPYING.LGPL3;md5=a2b6bf2cb38ee52619e60f30a1fc7257"
+
+DEPENDS = "npth libassuan libksba zlib bzip2 readline libgcrypt"
+
+inherit autotools gettext texinfo pkgconfig
+
+UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html"
+SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
+           file://0002-use-pkgconfig-instead-of-npth-config.patch \
+           file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
+           file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+           "
+SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
+                                file://relocate.patch"
+SRC_URI:append:class-nativesdk = " file://relocate.patch"
+
+SRC_URI[sha256sum] = "ee163a5fb9ec99ffc1b18e65faef8d086800c5713d15a672ab57d3799da83669"
+
+EXTRA_OECONF = "--disable-ldap \
+		--disable-ccid-driver \
+		--with-zlib=${STAGING_LIBDIR}/.. \
+		--with-bzip2=${STAGING_LIBDIR}/.. \
+		--with-readline=${STAGING_LIBDIR}/.. \
+		--with-mailprog=${sbindir}/sendmail \
+		--enable-gpg-is-gpg2 \
+               "
+
+# A minimal package containing just enough to run gpg+gpgagent (E.g. use gpgme in opkg)
+PACKAGES =+ "${PN}-gpg"
+FILES:${PN}-gpg = " \
+	${bindir}/gpg \
+	${bindir}/gpg2 \
+	${bindir}/gpg-agent \
+"
+
+# Normal package (gnupg) should depend on minimal package (gnupg-gpg)
+# to ensure all tools are included. This is done only in non-native
+# builds. Native builds don't have sub-packages, so appending RDEPENDS
+# in this case breaks recipe parsing.
+RDEPENDS:${PN} += "${@ "" if ("native" in d.getVar("PN")) else (d.getVar("PN") + "-gpg")}"
+
+RRECOMMENDS:${PN} = "pinentry"
+
+do_configure:prepend () {
+	# Else these could be used in prefernce to those in aclocal-copy
+	rm -f ${S}/m4/gpg-error.m4
+	rm -f ${S}/m4/libassuan.m4
+	rm -f ${S}/m4/ksba.m4
+	rm -f ${S}/m4/libgcrypt.m4
+}
+
+do_install:append() {
+	ln -sf gpg2 ${D}${bindir}/gpg
+	ln -sf gpgv2 ${D}${bindir}/gpgv
+}
+
+do_install:append:class-native() {
+	create_wrappers ${STAGING_BINDIR_NATIVE}
+}
+
+do_install:append:class-nativesdk() {
+	create_wrappers ${SDKPATHNATIVE}${bindir_nativesdk}
+}
+
+create_wrappers() {
+	for i in gpg2 gpgconf gpg-agent gpg-connect-agent; do
+		create_wrapper ${D}${bindir}/$i GNUPG_BINDIR=$1
+	done
+}
+
+PACKAGECONFIG ??= "gnutls"
+PACKAGECONFIG[gnutls] = "--enable-gnutls, --disable-gnutls, gnutls"
+PACKAGECONFIG[sqlite3] = "--enable-sqlite, --disable-sqlite, sqlite3"
+
+BBCLASSEXTEND = "native nativesdk"
+
+lcl_maybe_fortify:mipsarch = ""
+
-- 
cgit v1.2.3-54-g00ecf