2 files changed, 117 insertions, 0 deletions
diff --git a/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch b/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch
new file mode 100644
index 0000000000..de1099c40b
--- /dev/null
+++ b/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch
@@ -0,0 +1,116 @@
+From 1eda4012c5350efae02fcc058e0a36cc71ad62fd Mon Sep 17 00:00:00 2001
+From: Chris Lamb <lamby@debian.org>
+Date: Fri, 9 Feb 2024 10:43:18 -0800
+Subject: [PATCH] Use a determistic name instead of trusting gpg's
+ --use-embedded-filenames. (Closes: reproducible-builds/diffoscope#361)
+... but also expose the embedded name by attaching the ("unstable") output of
+--list-packets.
+Many thanks to Daniel Kahn Gillmor <dkg@debian.org> for reporting this issue
+and providing feedback.
+Upstream-Status: Backport
+[https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476]
+CVE: CVE-2024-25711
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ diffoscope/comparators/pgp.py | 34 +++++++++++++++++++++++++++++-----
+ tests/comparators/test_pgp.py |  3 ++-
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+diff --git a/diffoscope/comparators/pgp.py b/diffoscope/comparators/pgp.py
+index eea997b..9215664 100644
+--- a/diffoscope/comparators/pgp.py
+++ b/diffoscope/comparators/pgp.py
+@@ -32,6 +32,8 @@ from .utils.command import Command, our_check_output
+ 
+ logger = logging.getLogger(__name__)
+ 
+re_name = re.compile(r", created \d+, name=\"(?P<name>[^\"]+)\",")
+
+ 
+ class Pgpdump(Command):
+     @tool_required("pgpdump")
+@@ -46,21 +48,31 @@ class Pgpdump(Command):
+         )
+ 
+ 
+class GpgListPackets(Command):
+    @tool_required("gpg")
+    def cmdline(self):
+        return (
+            "gpg",
+            "--no-keyring",
+            "--list-packets",
+            self.path,
+        )
+
+
+ class PGPContainer(Archive):
+     @tool_required("gpg")
+     def open_archive(self):
+-        # Extract to a fresh temporary directory so that we can use the
+-        # embedded filename.
+-
+        # Extract to a fresh temporary directory.
+         self._temp_dir = get_temporary_directory(suffix="pgp")
+ 
+         try:
+             our_check_output(
+                 (
+                     "gpg",
+-                    "--use-embedded-filename",
+                     "--decrypt",
+                     "--no-keyring",
+                    "--output",
+                    os.path.join(self._temp_dir.name, "contents"),
+                     os.path.abspath(self.source.path),
+                 ),
+                 cwd=self._temp_dir.name,
+@@ -75,7 +87,7 @@ class PGPContainer(Archive):
+         self._temp_dir.cleanup()
+ 
+     def get_member_names(self):
+-        # Will only return one filename, taken from the signature file itself.
+        # Will only ever return one filename
+         return os.listdir(self._temp_dir.name)
+ 
+     def extract(self, member_name, dest_dir):
+@@ -136,4 +148,16 @@ class PgpSignature(TextFile):
+             ]
+         )
+ 
+        # ... as well as gpg --list-packets
+        difference.add_details(
+            [
+                Difference.from_operation(
+                    GpgListPackets,
+                    self.path,
+                    other.path,
+                    source="gpg --list-packets",
+                )
+            ]
+        )
+
+         return difference
+diff --git a/tests/comparators/test_pgp.py b/tests/comparators/test_pgp.py
+index 8652ea9..49b3fa0 100644
+--- a/tests/comparators/test_pgp.py
+++ b/tests/comparators/test_pgp.py
+@@ -80,8 +80,9 @@ def test_pgp_signature_identification(signature1, signature2):
+ def test_pgp_signature(signature1, signature2):
+     difference = signature1.compare(signature2)
+     assert_diff(difference, "pgp_signature_expected_diff")
+    assert len(difference.details) == 2
+     assert difference.details[0].source1 == "pgpdump"
+-    assert len(difference.details) == 1
+    assert difference.details[1].source1 == "gpg --list-packets"
+ 
+ 
+ @skip_unless_tools_exist("pgpdump")
+-- 
+2.25.1
diff --git a/meta/recipes-support/diffoscope/diffoscope_208.bb b/meta/recipes-support/diffoscope/diffoscope_208.bb
index 3c3b007d60..e4fde88c95 100644
--- a/meta/recipes-support/diffoscope/diffoscope_208.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_208.bb
@@ -12,6 +12,7 @@ PYPI_PACKAGE = "diffoscope"
 inherit pypi setuptools3
+SRC_URI += " file://CVE-2024-25711.patch"
 SRC_URI[sha256sum] = "2c5c0ac1159eefce158154849fe67f0f527dffc5295bfd3ca1aef14962ffcbcb"
 RDEPENDS:${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic python3-rpm"

diff --git a/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch b/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch new file mode 100644 index 0000000000..de1099c40b --- /dev/null +++ b/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch
@@ -0,0 +1,116 @@
		1	From 1eda4012c5350efae02fcc058e0a36cc71ad62fd Mon Sep 17 00:00:00 2001
		2	From: Chris Lamb <lamby@debian.org>
		3	Date: Fri, 9 Feb 2024 10:43:18 -0800
		4	Subject: [PATCH] Use a determistic name instead of trusting gpg's
		5	--use-embedded-filenames. (Closes: reproducible-builds/diffoscope#361)
		6
		7	... but also expose the embedded name by attaching the ("unstable") output of
		8	--list-packets.
		9
		10	Many thanks to Daniel Kahn Gillmor <dkg@debian.org> for reporting this issue
		11	and providing feedback.
		12
		13	Upstream-Status: Backport
		14	[https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476]
		15
		16	CVE: CVE-2024-25711
		17
		18	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
		19	---
		20	diffoscope/comparators/pgp.py \| 34 +++++++++++++++++++++++++++++-----
		21	tests/comparators/test_pgp.py \| 3 ++-
		22	2 files changed, 31 insertions(+), 6 deletions(-)
		23
		24	diff --git a/diffoscope/comparators/pgp.py b/diffoscope/comparators/pgp.py
		25	index eea997b..9215664 100644
		26	--- a/diffoscope/comparators/pgp.py
		27	+++ b/diffoscope/comparators/pgp.py
		28	@@ -32,6 +32,8 @@ from .utils.command import Command, our_check_output
		29
		30	logger = logging.getLogger(__name__)
		31
		32	+re_name = re.compile(r", created \d+, name=\"(?P<name>[^\"]+)\",")
		33	+
		34
		35	class Pgpdump(Command):
		36	@tool_required("pgpdump")
		37	@@ -46,21 +48,31 @@ class Pgpdump(Command):
		38	)
		39
		40
		41	+class GpgListPackets(Command):
		42	+ @tool_required("gpg")
		43	+ def cmdline(self):
		44	+ return (
		45	+ "gpg",
		46	+ "--no-keyring",
		47	+ "--list-packets",
		48	+ self.path,
		49	+ )
		50	+
		51	+
		52	class PGPContainer(Archive):
		53	@tool_required("gpg")
		54	def open_archive(self):
		55	- # Extract to a fresh temporary directory so that we can use the
		56	- # embedded filename.
		57	-
		58	+ # Extract to a fresh temporary directory.
		59	self._temp_dir = get_temporary_directory(suffix="pgp")
		60
		61	try:
		62	our_check_output(
		63	(
		64	"gpg",
		65	- "--use-embedded-filename",
		66	"--decrypt",
		67	"--no-keyring",
		68	+ "--output",
		69	+ os.path.join(self._temp_dir.name, "contents"),
		70	os.path.abspath(self.source.path),
		71	),
		72	cwd=self._temp_dir.name,
		73	@@ -75,7 +87,7 @@ class PGPContainer(Archive):
		74	self._temp_dir.cleanup()
		75
		76	def get_member_names(self):
		77	- # Will only return one filename, taken from the signature file itself.
		78	+ # Will only ever return one filename
		79	return os.listdir(self._temp_dir.name)
		80
		81	def extract(self, member_name, dest_dir):
		82	@@ -136,4 +148,16 @@ class PgpSignature(TextFile):
		83	]
		84	)
		85
		86	+ # ... as well as gpg --list-packets
		87	+ difference.add_details(
		88	+ [
		89	+ Difference.from_operation(
		90	+ GpgListPackets,
		91	+ self.path,
		92	+ other.path,
		93	+ source="gpg --list-packets",
		94	+ )
		95	+ ]
		96	+ )
		97	+
		98	return difference
		99	diff --git a/tests/comparators/test_pgp.py b/tests/comparators/test_pgp.py
		100	index 8652ea9..49b3fa0 100644
		101	--- a/tests/comparators/test_pgp.py
		102	+++ b/tests/comparators/test_pgp.py
		103	@@ -80,8 +80,9 @@ def test_pgp_signature_identification(signature1, signature2):
		104	def test_pgp_signature(signature1, signature2):
		105	difference = signature1.compare(signature2)
		106	assert_diff(difference, "pgp_signature_expected_diff")
		107	+ assert len(difference.details) == 2
		108	assert difference.details[0].source1 == "pgpdump"
		109	- assert len(difference.details) == 1
		110	+ assert difference.details[1].source1 == "gpg --list-packets"
		111
		112
		113	@skip_unless_tools_exist("pgpdump")
		114	--
		115	2.25.1
		116


diff --git a/meta/recipes-support/diffoscope/diffoscope_208.bb b/meta/recipes-support/diffoscope/diffoscope_208.bb index 3c3b007d60..e4fde88c95 100644 --- a/meta/recipes-support/diffoscope/diffoscope_208.bb +++ b/meta/recipes-support/diffoscope/diffoscope_208.bb
@@ -12,6 +12,7 @@ PYPI_PACKAGE = "diffoscope"
12		12
13	inherit pypi setuptools3	13	inherit pypi setuptools3
14		14
		15	SRC_URI += " file://CVE-2024-25711.patch"
15	SRC_URI[sha256sum] = "2c5c0ac1159eefce158154849fe67f0f527dffc5295bfd3ca1aef14962ffcbcb"	16	SRC_URI[sha256sum] = "2c5c0ac1159eefce158154849fe67f0f527dffc5295bfd3ca1aef14962ffcbcb"
16		17
17	RDEPENDS:${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic python3-rpm"	18	RDEPENDS:${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic python3-rpm"