Package: release.debian.org Severity: normal X-Debbugs-Cc: gnupg2@packages.debian.org, gnupg2@packages.debian.org Control: affects -1 + src:gnupg2 User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package gnupg2 This fixes another regression from the CVE-2025-30258 fix and cherry-picks multiple fixes from upstream's maintenance branch STABLE-BRANCH-2-4 which were included in 2.4.8. unblock gnupg2/2.4.7-19 We have another fix pending (#1106800) I have just uploaded to experimental to avoid restting the propagation timer. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff --git a/debian/changelog b/debian/changelog
index fe466a495..1b24c466d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,31 @@
+gnupg2 (2.4.7-19) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Andreas Metzler <ametzler@debian.org> Wed, 14 May 2025 06:22:05 +0200
+
+gnupg2 (2.4.7-18) experimental; urgency=medium
+
+ [ Daniel Kahn Gillmor ]
+ * Handle certification-only pubkeys correctly (Closes: #1101007)
+
+ [ Andreas Metzler ]
+ * Cherry-pick fixes from upstream STABLE-BRANCH-2-4:
+ + Fix key generation with existing key from card.
+ (2.4.7 regression) https://dev.gnupg.org/T7457
+ + gpgconf: Fix reload and kill of keyboxd
+ https://dev.gnupg.org/T7569
+ + keyboxd: Convert upper-case email-address search string to lower-case
+ https://dev.gnupg.org/T7576
+ + Fix use of undefined behavior in ksba-io-support.c
+ (Use memchr since calling strchr on a non-NUL terminated string is
+ undefined behavior.)
+ + Fix --list-filter select='disabled-f'.
+
+ -- Andreas Metzler <ametzler@debian.org> Sun, 11 May 2025 13:04:10 +0200
+
gnupg2 (2.4.7-17) unstable; urgency=medium
* re-enable piuparts in salsa-ci, keyboxd package is no more.
* disable missing-breaks salsa ci. (fp: gpg-from-sq)
* Add pkg.gnupg2.gpgvonly build profile. (Thanks, Helmut Grohne)
diff --git a/debian/patches/from-upstream/0001-gpg-Fix-key-generation-with-existing-key-from-card.patch b/debian/patches/from-upstream/0001-gpg-Fix-key-generation-with-existing-key-from-card.patch
new file mode 100644
index 000000000..3a4a7f2ae
--- /dev/null
+++ b/debian/patches/from-upstream/0001-gpg-Fix-key-generation-with-existing-key-from-card.patch
@@ -0,0 +1,30 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Mon, 16 Dec 2024 09:56:24 +0900
+Subject: [PATCH 01/10] gpg: Fix key generation with existing key from card.
+
+* g10/keygen.c (ask_algo): Fix condition. Continue the loop when
+failure.
+
+--
+
+Fixes-commit: 6022f10da39e512b5b3fed3869fd6579d954090c
+GnuPG-bug-id: 7309, 7457
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit cc3efe9a7312b1ca2c2398e439178e0b23e857df)
+---
+ g10/keygen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 9b689a9..b301db9 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -2483,7 +2483,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+ if (!keyref)
+ continue;
+
+- if (!agent_scd_readkey (ctrl, keyref, &s_pkey, NULL))
++ if (agent_scd_readkey (ctrl, keyref, &s_pkey, NULL))
+ continue;
+
+ algostr = pubkey_algo_string (s_pkey, &algoid);
diff --git a/debian/patches/from-upstream/0002-gpgconf-Fix-reload-and-kill-of-keyboxd.patch b/debian/patches/from-upstream/0002-gpgconf-Fix-reload-and-kill-of-keyboxd.patch
new file mode 100644
index 000000000..b71c90275
--- /dev/null
+++ b/debian/patches/from-upstream/0002-gpgconf-Fix-reload-and-kill-of-keyboxd.patch
@@ -0,0 +1,38 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 17 Mar 2025 10:06:54 +0100
+Subject: [PATCH 02/10] gpgconf: Fix reload and kill of keyboxd.
+
+* tools/gpgconf-comp.c (keyboxd_runtime_change): Fix order of args.
+--
+
+Fixes-commit: acaeba2dbdb9bbd68a823c671d5c3577fef5d26d
+GnuPG-bug-id: 7569
+(cherry picked from commit e212308ede8ecaa3a39ed0366db70da3edfc0ba2)
+---
+ tools/gpgconf-comp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
+index fb2a896..f9856ea 100644
+--- a/tools/gpgconf-comp.c
++++ b/tools/gpgconf-comp.c
+@@ -909,15 +909,15 @@ keyboxd_runtime_change (int killflag)
+ int cmdidx;
+
+ pgmname = gnupg_module_name (GNUPG_MODULE_NAME_CONNECT_AGENT);
+- argv[i++] = "--no-autostart";
+- argv[i++] = "--keyboxd";
+- cmdidx = i;
+- argv[i++] = killflag? "KILLKEYBOXD" : "RELOADKEYBOXD";
+ if (!gnupg_default_homedir_p ())
+ {
+ argv[i++] = "--homedir";
+ argv[i++] = gnupg_homedir ();
+ }
++ argv[i++] = "--no-autostart";
++ argv[i++] = "--keyboxd";
++ cmdidx = i;
++ argv[i++] = killflag? "KILLKEYBOXD" : "RELOADKEYBOXD";
+ argv[i] = NULL;
+ log_assert (i < DIM(argv));
+
diff --git a/debian/patches/from-upstream/0006-keyboxd-Searching-UpperCaseAddress.patch b/debian/patches/from-upstream/0006-keyboxd-Searching-UpperCaseAddress.patch
new file mode 100644
index 000000000..12100d960
--- /dev/null
+++ b/debian/patches/from-upstream/0006-keyboxd-Searching-UpperCaseAddress.patch
@@ -0,0 +1,67 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 26 Mar 2025 14:26:54 +0900
+Subject: [PATCH 06/10] keyboxd: Searching UpperCaseAddress.
+
+* kbx/backend-sqlite.c (run_select_statement): Convert with
+ascii_strlwr when the mode is KEYDB_SEARCH_MODE_MAIL.
+
+--
+
+GnuPG-bug-id: 7576
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+(cherry picked from commit 0812ab2996730eecc180dceab5e7a7f0a706c467)
+---
+ kbx/backend-sqlite.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/kbx/backend-sqlite.c b/kbx/backend-sqlite.c
+index 50ab6f0..57613e2 100644
+--- a/kbx/backend-sqlite.c
++++ b/kbx/backend-sqlite.c
+@@ -956,18 +956,36 @@ run_select_statement (ctrl_t ctrl, be_sqlite_local_t ctx,
+ extra, " ORDER BY p.ubid", &ctx->select_stmt);
+ if (!err)
+ {
+- s = desc[descidx].u.name;
+- if (s && *s == '<' && s[1])
+- { /* It is common that the indicator for exact addrspec
+- * search has not been removed. We do this here. */
+- s++;
+- n = strlen (s);
+- if (n > 1 && s[n-1] == '>')
+- n--;
++ if (desc[descidx].mode == KEYDB_SEARCH_MODE_MAIL)
++ {
++ char *mail = xtrystrdup (desc[descidx].u.name);
++
++ if (!mail)
++ err = gpg_error_from_syserror ();
++ else
++ {
++ ascii_strlwr (mail);
++ s = mail;
++ if (*s == '<' && s[1])
++ { /* It is common that the indicator for exact addrspec
++ * search has not been removed. We do this here. */
++ s++;
++ n = strlen (s);
++ if (n > 1 && s[n-1] == '>')
++ n--;
++ }
++ else
++ n = strlen (s);
++ err = run_sql_bind_ntext (ctx->select_stmt, 1, s, n);
++ xfree (mail);
++ }
+ }
+ else
+- n = s? strlen (s):0;
+- err = run_sql_bind_ntext (ctx->select_stmt, 1, s, n);
++ {
++ s = desc[descidx].u.name;
++ n = s? strlen (s):0;
++ err = run_sql_bind_ntext (ctx->select_stmt, 1, s, n);
++ }
+ }
+ break;
+
diff --git a/debian/patches/from-upstream/0007-Fix-access-to-the-bintoasc-mapping-in-the-libksba-su.patch b/debian/patches/from-upstream/0007-Fix-access-to-the-bintoasc-mapping-in-the-libksba-su.patch
new file mode 100644
index 000000000..686815bc4
--- /dev/null
+++ b/debian/patches/from-upstream/0007-Fix-access-to-the-bintoasc-mapping-in-the-libksba-su.patch
@@ -0,0 +1,33 @@
+From: Collin Funk <collin.funk1@gmail.com>
+Date: Wed, 30 Apr 2025 10:36:18 +0200
+Subject: [PATCH 07/10] Fix access to the bintoasc mapping in the libksba
+ support.
+
+* common/ksba-io-support.c (has_only_base64): Use memchr since calling
+strchr on a non-NUL terminated string is undefined behavior.
+
+--
+
+Signed-off-by: Collin Funk <collin.funk1@gmail.com>
+
+This patch has been stripped from Colin's original patch because this
+is not just about a warning but an actual bug. That bug was
+introduced in 2003 by me. - wk
+(cherry picked from commit 33d418fd34b55bdd30b0dc1a4ab2fe41cc6d2170)
+---
+ common/ksba-io-support.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/ksba-io-support.c b/common/ksba-io-support.c
+index 352485f..ff5e495 100644
+--- a/common/ksba-io-support.c
++++ b/common/ksba-io-support.c
+@@ -174,7 +174,7 @@ has_only_base64 (const unsigned char *line, int linelen)
+ {
+ if (*line == '\n' || (linelen > 1 && *line == '\r' && line[1] == '\n'))
+ break;
+- if ( !strchr (bintoasc, *line) )
++ if ( !memchr (bintoasc, *line, sizeof (bintoasc)) )
+ return 0;
+ }
+ return 1; /* yes */
diff --git a/debian/patches/from-upstream/0009-common-Fix-logic-for-certain-recsel-conditions.patch b/debian/patches/from-upstream/0009-common-Fix-logic-for-certain-recsel-conditions.patch
new file mode 100644
index 000000000..fd7ded3ef
--- /dev/null
+++ b/debian/patches/from-upstream/0009-common-Fix-logic-for-certain-recsel-conditions.patch
@@ -0,0 +1,70 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 30 Apr 2025 15:13:11 +0200
+Subject: [PATCH 09/10] common: Fix logic for certain recsel conditions.
+
+* common/recsel.c (recsel_select): Change processing of NULL values.
+* common/t-recsel.c (run_test_2): Adjust for this change. Also a type
+fix for s/"letter"/"letters"/.
+--
+
+The getval function may return NULL which indicates that there is no
+useful value available. For example because the propertyname is not
+defined for some external context (e.g. in gpg the packet type). This
+also required to fix the test for boolean tests of a non existing
+property name.
+
+Reported-by: shniubobo at gnupg-users on 2025-04-18.
+(cherry picked from commit 3ea8cab6a40485ff9748a77bca3b26c63a788449)
+---
+ common/recsel.c | 6 +++++-
+ common/t-recsel.c | 6 +++---
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/common/recsel.c b/common/recsel.c
+index fa3deba..3be491c 100644
+--- a/common/recsel.c
++++ b/common/recsel.c
+@@ -506,7 +506,11 @@ recsel_select (recsel_expr_t selector,
+ {
+ value = getval? getval (cookie, se->name) : NULL;
+ if (!value)
+- value = "";
++ {
++ se = se->next;
++ result = 0;
++ continue;
++ }
+
+ if (!*value)
+ {
+diff --git a/common/t-recsel.c b/common/t-recsel.c
+index 2d5a95d..72a2596 100644
+--- a/common/t-recsel.c
++++ b/common/t-recsel.c
+@@ -306,7 +306,7 @@ run_test_2 (void)
+
+ FREEEXPR();
+ ADDEXPR ("nothing -z");
+- if (!recsel_select (se, test_2_getval, NULL))
++ if (recsel_select (se, test_2_getval, NULL))
+ fail (0, 0);
+ FREEEXPR();
+ ADDEXPR ("nothing -n");
+@@ -334,7 +334,7 @@ run_test_2 (void)
+
+ FREEEXPR();
+ ADDEXPR ("nothing -f");
+- if (!recsel_select (se, test_2_getval, NULL))
++ if (recsel_select (se, test_2_getval, NULL))
+ fail (0, 0);
+ FREEEXPR();
+ ADDEXPR ("nothing -t");
+@@ -369,7 +369,7 @@ run_test_2 (void)
+ fail (0, 0);
+
+ FREEEXPR();
+- ADDEXPR ("letter -f");
++ ADDEXPR ("letters -f");
+ if (!recsel_select (se, test_2_getval, NULL))
+ fail (0, 0);
+ FREEEXPR();
diff --git a/debian/patches/from-upstream/gpg-Fix-another-regression-due-to-the-T7547-fix.patch b/debian/patches/from-upstream/gpg-Fix-another-regression-due-to-the-T7547-fix.patch
new file mode 100644
index 000000000..e2c127916
--- /dev/null
+++ b/debian/patches/from-upstream/gpg-Fix-another-regression-due-to-the-T7547-fix.patch
@@ -0,0 +1,45 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Fri, 2 May 2025 11:11:05 +0200
+Subject: gpg: Fix another regression due to the T7547 fix.
+
+* g10/getkey.c (get_pubkey_for_sig): Keep a requested
+PUBKEY_USAGE_CERT.
+(finish_lookup): For correctness in future use cases allow
+PUBKEY_USAGE_CERT to also trigger verify mode.
+--
+
+The case here was that a cert-only primary key was removed with
+export-clean.
+
+GnuPG-bug-id: 7583
+(cherry picked from commit 9b7c067717d815e16f9ea3cec88bca09a6cce7cb)
+---
+ g10/getkey.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/g10/getkey.c b/g10/getkey.c
+index e326406..ae0e002 100644
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -341,8 +341,10 @@ get_pubkey_for_sig (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig,
+ /* Make sure to request only keys cabable of signing. This makes
+ * sure that a subkey w/o a valid backsig or with bad usage flags
+ * will be skipped. We also request the verification mode so that
+- * expired and reoked keys are returned. */
+- pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY);
++ * expired and revoked keys are returned. We keep only a requested
++ * CERT usage in PK for the sake of key signatures. */
++ pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY
++ | (pk->req_usage & PUBKEY_USAGE_CERT));
+
+ /* First try the ISSUER_FPR info. */
+ fpr = issuer_fpr_raw (sig, &fprlen);
+@@ -3736,7 +3738,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
+ /* The verify mode is used to change the behaviour so that we can
+ * return an expired or revoked key for signature verification. */
+ verify_mode = ((req_usage & PUBKEY_USAGE_VERIFY)
+- && (req_usage & PUBKEY_USAGE_SIG));
++ && (req_usage & (PUBKEY_USAGE_CERT|PUBKEY_USAGE_SIG)));
+
+ #define USAGE_MASK (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
+ req_usage &= USAGE_MASK;
diff --git a/debian/patches/series b/debian/patches/series
index 1c57afc95..cda8c045a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,5 +46,11 @@ from-upstream/gpg-Remove-a-signature-check-function-wrapper.patch
from-upstream/gpg-Fix-a-verification-DoS-due-to-a-malicious-subkey-in-t.patch
from-upstream/gpg-Fix-regression-for-the-recent-malicious-subkey-DoS-fi.patch
from-upstream/gpg-Fix-double-free-of-internal-data.patch
debian-packaging/no-keyboxd.patch
gpgv-Avoid-Assuan-and-NPth-dependencies.patch
+from-upstream/0001-gpg-Fix-key-generation-with-existing-key-from-card.patch
+from-upstream/0002-gpgconf-Fix-reload-and-kill-of-keyboxd.patch
+from-upstream/0006-keyboxd-Searching-UpperCaseAddress.patch
+from-upstream/0007-Fix-access-to-the-bintoasc-mapping-in-the-libksba-su.patch
+from-upstream/gpg-Fix-another-regression-due-to-the-T7547-fix.patch
+from-upstream/0009-common-Fix-logic-for-certain-recsel-conditions.patch
Attachment:
signature.asc
Description: PGP signature