gnupg: patch CVE-2025-68973

Pick patch from 2.4 branch per [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-68973 (From OE-Core rev: 403a9bc3da3574d828cfbce805df48d0181eafed) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2026-01-10 23:45:18 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:49:25 +0000
commit: 71966f1badb103c7caeed5c3face2c89d1afe8b3 (patch)
tree: 2f99ef9e6d75a365ada7aa1ba13600343a2e9ae9
parent: cd8f4444b207778a91c1a027c149dfd05dae867b (diff)
download: poky-71966f1badb103c7caeed5c3face2c89d1afe8b3.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch b/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
new file mode 100644
index 0000000000..1d5225361b
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
@@ -0,0 +1,108 @@
+From 4ecc5122f20e10c17172ed72f4fa46c784b5fb48 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 23 Oct 2025 11:36:04 +0200
+Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
+* g10/armor.c (armor_filter): Fix faulty double increment.
+* common/iobuf.c (underflow_target): Assert that the filter
+implementations behave well.
+--
+This fixes a bug in a code path which can only be reached with special
+crafted input data and would then error out at an upper layer due to
+corrupt input (every second byte in the buffer is unitialized
+garbage).  No fuzzing has yet hit this case and we don't have a test
+case for this code path.  However memory corruption can never be
+tolerated as it always has the protential for remode code execution.
+Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
+Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
+which fixed
+Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
+Backported-from-master: 115d138ba599328005c5321c0ef9f00355838ca9
+The bug was introduced on 1999-01-07 by me:
+* armor.c: Rewrote large parts.
+which I fixed on 1999-03-02 but missed to fix the other case:
+* armor.c (armor_filter): Fixed armor bypassing.
+Below is base64+gzipped test data which can be used with valgrind to
+show access to uninitalized memory in write(2) in the unpatched code.
+--8<---------------cut here---------------start------------->8---
+H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
+a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
+--8<---------------cut here---------------end--------------->8---
+CVE: CVE-2025-68973
+Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4ecc5122f20e10c17172ed72f4fa46c784b5fb48]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ common/iobuf.c | 8 +++++++-
+ g10/armor.c    | 4 ++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+diff --git a/common/iobuf.c b/common/iobuf.c
+index 748e6935d..2497713c1 100644
+--- a/common/iobuf.c
+++ b/common/iobuf.c
+@@ -2041,6 +2041,8 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+        rc = 0;
+       else
+       {
+        size_t tmplen;
+
+        /* If no buffered data and drain buffer has been setup, and drain
+         * buffer is largish, read data directly to drain buffer. */
+        if (a->d.len == 0
+@@ -2053,8 +2055,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+              log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
+                         a->no, a->subno, (ulong)len);
+ 
+-           rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+            tmplen = len;  /* Used to check for bugs in the filter.  */
+            rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+                            a->e_d.buf, &len);
+            log_assert (len <= tmplen);
+            a->e_d.used = len;
+            len = 0;
+          }
+@@ -2064,8 +2068,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+              log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
+                         a->no, a->subno, (ulong)len);
+ 
+            tmplen = len;  /* Used to check for bugs in the filter.  */
+            rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+                            &a->d.buf[a->d.len], &len);
+            log_assert (len <= tmplen);
+          }
+       }
+       a->d.len += len;
+diff --git a/g10/armor.c b/g10/armor.c
+index 81af15339..f8cfa86db 100644
+--- a/g10/armor.c
+++ b/g10/armor.c
+@@ -1312,8 +1312,8 @@ armor_filter( void *opaque, int control,
+        n = 0;
+        if( afx->buffer_len ) {
+             /* Copy the data from AFX->BUFFER to BUF.  */
+-           for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
+-               buf[n++] = afx->buffer[afx->buffer_pos++];
+            for(; n < size && afx->buffer_pos < afx->buffer_len;)
+                buf[n++] = afx->buffer[afx->buffer_pos++];
+            if( afx->buffer_pos >= afx->buffer_len )
+                afx->buffer_len = 0;
+        }
diff --git a/meta/recipes-support/gnupg/gnupg_2.3.7.bb b/meta/recipes-support/gnupg/gnupg_2.3.7.bb
index 27b2d3682a..f52ae921d4 100644
--- a/meta/recipes-support/gnupg/gnupg_2.3.7.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.3.7.bb
@@ -23,6 +23,7 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://CVE-2025-30258-0003.patch \
           file://CVE-2025-30258-0004.patch \
           file://CVE-2025-30258-0005.patch \
+           file://CVE-2025-68973.patch \
           "
 SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                file://relocate.patch"
author	Peter Marko <peter.marko@siemens.com>	2026-01-10 23:45:18 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:49:25 +0000
commit	71966f1badb103c7caeed5c3face2c89d1afe8b3 (patch)
tree	2f99ef9e6d75a365ada7aa1ba13600343a2e9ae9
parent	cd8f4444b207778a91c1a027c149dfd05dae867b (diff)
download	poky-71966f1badb103c7caeed5c3face2c89d1afe8b3.tar.gz

diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch b/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch new file mode 100644 index 0000000000..1d5225361b --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2025-68973.patch
@@ -0,0 +1,108 @@
		1	From 4ecc5122f20e10c17172ed72f4fa46c784b5fb48 Mon Sep 17 00:00:00 2001
		2	From: Werner Koch <wk@gnupg.org>
		3	Date: Thu, 23 Oct 2025 11:36:04 +0200
		4	Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
		5
		6	* g10/armor.c (armor_filter): Fix faulty double increment.
		7
		8	* common/iobuf.c (underflow_target): Assert that the filter
		9	implementations behave well.
		10	--
		11
		12	This fixes a bug in a code path which can only be reached with special
		13	crafted input data and would then error out at an upper layer due to
		14	corrupt input (every second byte in the buffer is unitialized
		15	garbage). No fuzzing has yet hit this case and we don't have a test
		16	case for this code path. However memory corruption can never be
		17	tolerated as it always has the protential for remode code execution.
		18
		19	Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
		20	Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
		21	which fixed
		22	Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
		23	Backported-from-master: 115d138ba599328005c5321c0ef9f00355838ca9
		24
		25	The bug was introduced on 1999-01-07 by me:
		26	* armor.c: Rewrote large parts.
		27	which I fixed on 1999-03-02 but missed to fix the other case:
		28	* armor.c (armor_filter): Fixed armor bypassing.
		29
		30	Below is base64+gzipped test data which can be used with valgrind to
		31	show access to uninitalized memory in write(2) in the unpatched code.
		32
		33	--8<---------------cut here---------------start------------->8---
		34	H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
		35	a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
		36	gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
		37	gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
		38	gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
		39	gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
		40	gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
		41	gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
		42	gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
		43	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
		44	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
		45	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
		46	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
		47	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
		48	--8<---------------cut here---------------end--------------->8---
		49
		50	CVE: CVE-2025-68973
		51	Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4ecc5122f20e10c17172ed72f4fa46c784b5fb48]
		52	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		53	---
		54	common/iobuf.c \| 8 +++++++-
		55	g10/armor.c \| 4 ++--
		56	2 files changed, 9 insertions(+), 3 deletions(-)
		57
		58	diff --git a/common/iobuf.c b/common/iobuf.c
		59	index 748e6935d..2497713c1 100644
		60	--- a/common/iobuf.c
		61	+++ b/common/iobuf.c
		62	@@ -2041,6 +2041,8 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
		63	rc = 0;
		64	else
		65	{
		66	+ size_t tmplen;
		67	+
		68	/* If no buffered data and drain buffer has been setup, and drain
		69	* buffer is largish, read data directly to drain buffer. */
		70	if (a->d.len == 0
		71	@@ -2053,8 +2055,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
		72	log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
		73	a->no, a->subno, (ulong)len);
		74
		75	- rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
		76	+ tmplen = len; /* Used to check for bugs in the filter. */
		77	+ rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
		78	a->e_d.buf, &len);
		79	+ log_assert (len <= tmplen);
		80	a->e_d.used = len;
		81	len = 0;
		82	}
		83	@@ -2064,8 +2068,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
		84	log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
		85	a->no, a->subno, (ulong)len);
		86
		87	+ tmplen = len; /* Used to check for bugs in the filter. */
		88	rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
		89	&a->d.buf[a->d.len], &len);
		90	+ log_assert (len <= tmplen);
		91	}
		92	}
		93	a->d.len += len;
		94	diff --git a/g10/armor.c b/g10/armor.c
		95	index 81af15339..f8cfa86db 100644
		96	--- a/g10/armor.c
		97	+++ b/g10/armor.c
		98	@@ -1312,8 +1312,8 @@ armor_filter( void *opaque, int control,
		99	n = 0;
		100	if( afx->buffer_len ) {
		101	/* Copy the data from AFX->BUFFER to BUF. */
		102	- for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
		103	- buf[n++] = afx->buffer[afx->buffer_pos++];
		104	+ for(; n < size && afx->buffer_pos < afx->buffer_len;)
		105	+ buf[n++] = afx->buffer[afx->buffer_pos++];
		106	if( afx->buffer_pos >= afx->buffer_len )
		107	afx->buffer_len = 0;
		108	}


diff --git a/meta/recipes-support/gnupg/gnupg_2.3.7.bb b/meta/recipes-support/gnupg/gnupg_2.3.7.bb index 27b2d3682a..f52ae921d4 100644 --- a/meta/recipes-support/gnupg/gnupg_2.3.7.bb +++ b/meta/recipes-support/gnupg/gnupg_2.3.7.bb
@@ -23,6 +23,7 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
23	file://CVE-2025-30258-0003.patch \	23	file://CVE-2025-30258-0003.patch \
24	file://CVE-2025-30258-0004.patch \	24	file://CVE-2025-30258-0004.patch \
25	file://CVE-2025-30258-0005.patch \	25	file://CVE-2025-30258-0005.patch \
		26	file://CVE-2025-68973.patch \
26	"	27	"
27	SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \	28	SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
28	file://relocate.patch"	29	file://relocate.patch"