From eb108906b6a2b321fda2061c75e0d70586769b9a Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 11 Jul 2022 13:11:32 +0200 Subject: [PATCH 1/3] app-crypt/gnupg: update to 2.2.35-r1 Update to gnupg 2.2.35-r1, mainly to address CVE-2022-34903. Gentoo commit: 2b8f76c36b848ee02b57c00b29fa293d0c0dfc02 --- .../coreos-overlay/app-crypt/gnupg/Manifest | 7 +- ...gnupg-2.2.35-status-messages-garbled.patch | 45 ++++++++ ...th-a-good-revocation-but-no-self-sig.patch | 32 ------ ...reviously-known-keys-even-without-UI.patch | 106 ------------------ ...g-2.2.29.ebuild => gnupg-2.2.35-r1.ebuild} | 47 ++++---- .../app-crypt/gnupg/metadata.xml | 12 +- 6 files changed, 75 insertions(+), 174 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch rename sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/{gnupg-2.2.29.ebuild => gnupg-2.2.35-r1.ebuild} (78%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest index e2a729dfe8..5e6b9023e6 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest @@ -1,5 +1,2 @@ -DIST gnupg-2.2.16-scdaemon_shared-access.patch 2586 BLAKE2B 42fd5482c4e86751ce62836125997c2295c44bc5db0671a06460fd306b2ed93f290fb898fc1b1e463a863eddf9ab5f99ea3c90a55499ef45ca1ed6edf2854663 SHA512 38abaa4200114ae6b6f220fabc0a84a056761949c97bd0564557f4411a299b9a1939893555c27e26da2d8e8da4bc97a298fa7e68f1e80fe99c3f88cc329eaa84 -DIST gnupg-2.2.27.tar.bz2 7191555 BLAKE2B d652aad382cf07cc458b29ff82718edd47457d8236dcbeee51f22d88503be141f009e9ea45b6dafe614115d9558fe371509579e58ce17a5f04540a31aa406ea3 SHA512 cf336962116c9c08ac80b1299654b94948033ef51d6d5e7f54c2f07bbf7d92c7b0bddb606ceee2cdd837063f519b8d59af5a82816b840a0fc47d90c07b0e95ab -DIST gnupg-2.2.29.tar.bz2 7215986 BLAKE2B 04b777730b8fcbe8d93dfc8985aadd6bc7385ac2ac9684e6248cb3ae6d008daae5aa976ffa3bae27fe9e89bc2c4c1d4ae81dcaa259fb08d13f894f00f12072e9 SHA512 12645e230fc6aa4811420ef33def6baa590e847ecdf7e5f8b96eb49122e6406cbdba4595d0b52fa26700d5d5def67acb4ed7dfe7f778e496d4d21ccbef3c476b -DIST gnupg-2.2.31.tar.bz2 7212188 BLAKE2B 57a2b6c6ea491137a708e18a0119502621b7bdf0591818d19beb8b08a521a7dbf60472243e1723f53acbfb9a5de612b8e5040c45dc847bdda26012244edb11be SHA512 2f6fa200e08d6b8993b482e5825bea6083afc8686c4e1ae80386b36ae49e1c2d73066c508edaa359a7794cb26ba7a00f81555a906fa422d1117e41415cfa2fea -DIST gnupg-2.3.2.tar.bz2 7589445 BLAKE2B f7e35ed553ea89cdb073abb1432f67fa00bb625f6e686e534f96bca11d88f09ea272b3cb0d6706e4bce2c023f8c5b8d628742aa2f60752a2e605132cd32f62ed SHA512 2747cbe38546f500d165f024ebb2dc5be70fa68d20702af3f61e97db685eba94caf65307293137c76ea6cfcc189ed24aaee025c80cd33f26609e5fe512bdda73 +DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e +DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2 diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch new file mode 100644 index 0000000000..23dbf00b18 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch @@ -0,0 +1,45 @@ +https://bugs.gentoo.org/855395 +https://marc.info/?l=oss-security&m=165657063921408&w=2 +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21 + +From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Tue, 14 Jun 2022 11:33:27 +0200 +Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA + +* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one +-- + +Depending on the escaping and line wrapping the computed remaining +buffer length could be wrong. Fixed by always using a break to +terminate the escape detection loop. Might have happened for all +status lines which may wrap. + +GnuPG-bug-id: T6027 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch deleted file mode 100644 index a6173968f5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:43 +0200 -Subject: gpg: accept subkeys with a good revocation but no self-sig during - import - -* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we -encounter a valid revocation signature. This allows import of subkey -revocation signatures, even in the absence of a corresponding subkey -binding signature. - --- - -This fixes the remaining test in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/g10/import.c b/g10/import.c -index f9acf95..9217911 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) - /* It's valid, so is it newer? */ - if (sig->timestamp >= rsdate) - { -+ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ - if (rsnode) - { - /* Delete the last revocation sig since diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch deleted file mode 100644 index 4b5690f955..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:42 +0200 -Subject: gpg: allow import of previously known keys, even without UIDs - -* g10/import.c (import_one): Accept an incoming OpenPGP certificate that -has no user id, as long as we already have a local variant of the cert -that matches the primary key. - --- - -This fixes two of the three broken tests in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 44 +++++++++++--------------------------------- - 1 file changed, 11 insertions(+), 33 deletions(-) - -diff --git a/g10/import.c b/g10/import.c -index 5d3162c..f9acf95 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, - size_t an; - char pkstrbuf[PUBKEY_STRING_SIZE]; - int merge_keys_done = 0; -- int any_filter = 0; - KEYDB_HANDLE hd = NULL; - - if (r_valid) -@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, - log_printf ("\n"); - } - -- -- if (!uidnode ) -- { -- if (!silent) -- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); -- return 0; -- } -- - if (screener && screener (keyblock, screener_arg)) - { - log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, - } - } - -- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) -- { -- if (!silent) -- { -- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet ) -- log_info(_("this may be caused by a missing self-signature\n")); -- } -- stats->no_user_id++; -- return 0; -- } -+ /* Delete invalid parts, and note if we have any valid ones left. -+ * We will later abort import if this key is new but contains -+ * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); - - /* Get rid of deleted nodes. */ - commit_kbnode (&keyblock); -@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, - { - apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); - commit_kbnode (&keyblock); -- any_filter = 1; - } - if (import_filter.drop_sig) - { - apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); - commit_kbnode (&keyblock); -- any_filter = 1; -- } -- -- /* If we ran any filter we need to check that at least one user id -- * is left in the keyring. Note that we do not use log_error in -- * this case. */ -- if (any_filter && !any_uid_left (keyblock)) -- { -- if (!opt.quiet ) -- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); -- stats->no_user_id++; -- return 0; - } - - /* The keyblock is valid and ready for real import. */ -@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, - err = 0; - stats->skipped_new_keys++; - } -+ else if (err && !any_uid_left (keyblock)) -+ { -+ if (!silent) -+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); -+ err = 0; -+ stats->no_user_id++; -+ } - else if (err) /* Insert this key. */ - { - /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild index c7231c63b2..d78daa1450 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild @@ -1,35 +1,39 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -# Flatcar: use EAPI=7, until EAPI 8 could be fully supported EAPI=7 -inherit flag-o-matic systemd toolchain-funcs +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc +inherit flag-o-matic systemd toolchain-funcs verify-sig MY_P="${P/_/-}" DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation" HOMEPAGE="https://gnupg.org/" SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )" +S="${WORKDIR}/${MY_P}" LICENSE="GPL-3" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl tofu tools usb user-socket wks-server" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server" +RESTRICT="!test? ( test )" # Existence of executables is checked during configuration. +# Note: On each bump, update dep bounds on each version from configure.ac! DEPEND=">=dev-libs/libassuan-2.5.0 - >=dev-libs/libgcrypt-1.8.0 + >=dev-libs/libgcrypt-1.8.0:= >=dev-libs/libgpg-error-1.29 - >=dev-libs/libksba-1.3.4 + >=dev-libs/libksba-1.3.5 >=dev-libs/npth-1.2 >=net-misc/curl-7.10 + sys-libs/zlib bzip2? ( app-arch/bzip2 ) - ldap? ( net-nds/openldap ) + ldap? ( net-nds/openldap:= ) readline? ( sys-libs/readline:0= ) smartcard? ( usb? ( virtual/libusb:1 ) ) ssl? ( >=net-libs/gnutls-3.0:0= ) - sys-libs/zlib tofu? ( >=dev-db/sqlite-3.7 )" RDEPEND="${DEPEND} @@ -40,9 +44,8 @@ RDEPEND="${DEPEND} BDEPEND="virtual/pkgconfig doc? ( sys-apps/texinfo ) - nls? ( sys-devel/gettext )" - -S="${WORKDIR}/${MY_P}" + nls? ( sys-devel/gettext ) + verify-sig? ( sec-keys/openpgp-keys-gnupg )" DOCS=( ChangeLog NEWS README THANKS TODO VERSION @@ -50,11 +53,8 @@ DOCS=( ) PATCHES=( - "${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch" - # Flatcar: the patches below are added only for Flatcar, to address the - # upstream gnupg issue https://dev.gnupg.org/T4393. - "${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch" - "${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch" + "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch + "${FILESDIR}"/${P}-status-messages-garbled.patch ) src_prepare() { @@ -76,6 +76,8 @@ src_configure() { $(use_enable nls) $(use_enable smartcard scdaemon) $(use_enable ssl gnutls) + $(use_enable test all-tests) + $(use_enable test tests) $(use_enable tofu) $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver') $(use_enable wks-server wks-tools) @@ -83,16 +85,17 @@ src_configure() { $(use_with readline) --with-mailprog=/usr/libexec/sendmail --disable-ntbtls - --enable-all-tests --enable-gpg --enable-gpgsm --enable-large-secmem + CC_FOR_BUILD="$(tc-getBUILD_CC)" GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config" LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config" LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config" NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config" + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') ) @@ -101,14 +104,13 @@ src_configure() { append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0" fi - #bug 663142 + # bug #663142 if use user-socket; then myconf+=( --enable-run-gnupg-user-socket ) fi # glib fails and picks up clang's internal stdint.h causing weird errors - [[ ${CC} == *clang ]] && \ - export gl_cv_absolute_stdint_h=/usr/include/stdint.h + tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist. # As of GnuPG 2.3, the mailprog substitution is used for the binary called @@ -129,8 +131,9 @@ src_compile() { } src_test() { - #Bug: 638574 + # bug #638574 use tofu && export TESTFLAGS=--parallel + default } diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml index f6fc64ff0b..9704490d3e 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml @@ -5,20 +5,11 @@ zlogene@gentoo.org Mikle Kolyada - - polynomial-c@gentoo.org - Lars Wendler - base-system@gentoo.org Gentoo Base System - - Allow concurrent access to scdaemon by multiple apps from same - user. Useful if you want to use scdaemon with gnupg and for - example NitroKey. - Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try app-crypt/gnupg-pkcs11-scd. @@ -36,6 +27,9 @@ Install extra tools (including gpgsplit and gpg-zip). + + Enable TPM support via app-crypt/tpm2-tss and build tpm2d. + Install the wks-server From 5725e318b555e44146eb806a6421066aba07ebac Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Tue, 26 May 2020 10:04:30 +0200 Subject: [PATCH 2/3] app-crypt/gnupg: add patches for accepting without UIDs When the GnuPG keyserver is set to `keys.openpgp.org`, `gpg --recv-keys` occasionally fails with the following error: ``` gpg: key E52F0DB391453C45: no user ID ``` We need to make GnuPG accept keys even without UIDs. Original patches come from https://salsa.debian.org/debian/gnupg2/tree/f292beac1171c6c77faf41d1f88c2e0942ed4437/debian/patches/import-merge-without-userid . See also https://dev.gnupg.org/T4393 . Based on commit ff9200d8d3fce1feaa1eaa751a0dd2a50acbaae0 . --- ...th-a-good-revocation-but-no-self-sig.patch | 32 ++++++ ...reviously-known-keys-even-without-UI.patch | 106 ++++++++++++++++++ .../app-crypt/gnupg/gnupg-2.2.35-r1.ebuild | 5 + 3 files changed, 143 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch new file mode 100644 index 0000000000..a6173968f5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch @@ -0,0 +1,32 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:43 +0200 +Subject: gpg: accept subkeys with a good revocation but no self-sig during + import + +* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we +encounter a valid revocation signature. This allows import of subkey +revocation signatures, even in the absence of a corresponding subkey +binding signature. + +-- + +This fixes the remaining test in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/g10/import.c b/g10/import.c +index f9acf95..9217911 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self) + /* It's valid, so is it newer? */ + if (sig->timestamp >= rsdate) + { ++ knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid. */ + if (rsnode) + { + /* Delete the last revocation sig since diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch new file mode 100644 index 0000000000..4b5690f955 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch @@ -0,0 +1,106 @@ +From: Vincent Breitmoser +Date: Thu, 13 Jun 2019 21:27:42 +0200 +Subject: gpg: allow import of previously known keys, even without UIDs + +* g10/import.c (import_one): Accept an incoming OpenPGP certificate that +has no user id, as long as we already have a local variant of the cert +that matches the primary key. + +-- + +This fixes two of the three broken tests in import-incomplete.scm. + +GnuPG-Bug-id: 4393 +Signed-off-by: Daniel Kahn Gillmor +--- + g10/import.c | 44 +++++++++++--------------------------------- + 1 file changed, 11 insertions(+), 33 deletions(-) + +diff --git a/g10/import.c b/g10/import.c +index 5d3162c..f9acf95 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, + size_t an; + char pkstrbuf[PUBKEY_STRING_SIZE]; + int merge_keys_done = 0; +- int any_filter = 0; + KEYDB_HANDLE hd = NULL; + + if (r_valid) +@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, + log_printf ("\n"); + } + +- +- if (!uidnode ) +- { +- if (!silent) +- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); +- return 0; +- } +- + if (screener && screener (keyblock, screener_arg)) + { + log_error (_("key %s: %s\n"), keystr_from_pk (pk), +@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, + } + } + +- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- { +- if (!silent) +- { +- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet ) +- log_info(_("this may be caused by a missing self-signature\n")); +- } +- stats->no_user_id++; +- return 0; +- } ++ /* Delete invalid parts, and note if we have any valid ones left. ++ * We will later abort import if this key is new but contains ++ * no valid uids. */ ++ delete_inv_parts (ctrl, keyblock, keyid, options); + + /* Get rid of deleted nodes. */ + commit_kbnode (&keyblock); +@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, + { + apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); + commit_kbnode (&keyblock); +- any_filter = 1; + } + if (import_filter.drop_sig) + { + apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); + commit_kbnode (&keyblock); +- any_filter = 1; +- } +- +- /* If we ran any filter we need to check that at least one user id +- * is left in the keyring. Note that we do not use log_error in +- * this case. */ +- if (any_filter && !any_uid_left (keyblock)) +- { +- if (!opt.quiet ) +- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); +- stats->no_user_id++; +- return 0; + } + + /* The keyblock is valid and ready for real import. */ +@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, + err = 0; + stats->skipped_new_keys++; + } ++ else if (err && !any_uid_left (keyblock)) ++ { ++ if (!silent) ++ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); ++ err = 0; ++ stats->no_user_id++; ++ } + else if (err) /* Insert this key. */ + { + /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild index d78daa1450..7f49ba7cf7 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild @@ -1,6 +1,7 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 +# Flatcar: use EAPI=7, until EAPI 8 could be fully supported EAPI=7 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc @@ -55,6 +56,10 @@ DOCS=( PATCHES=( "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch "${FILESDIR}"/${P}-status-messages-garbled.patch + # Flatcar: the patches below are added only for Flatcar, to address the + # upstream gnupg issue https://dev.gnupg.org/T4393. + "${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch" + "${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch" ) src_prepare() { From a023d537fe1e825838c19352e00c9db88732ca28 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 11 Jul 2022 13:20:47 +0200 Subject: [PATCH 3/3] changelog: add changelog for gnupg 2.2.35 --- .../coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md | 1 + .../changelog/updates/2022-07-11-gnupg-2.2.35-update.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md create mode 100644 sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md new file mode 100644 index 0000000000..a13b6994c0 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md @@ -0,0 +1 @@ +- gnupg ([CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903)) diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md new file mode 100644 index 0000000000..918e2a733a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md @@ -0,0 +1 @@ +- gnupg ([2.2.35](https://dev.gnupg.org/T5928))