Hello Hugo This patch is included in version 1.12.2 of libgcrypt However, as far as I can tell, wrynose uses version 1.12.1 and no upgrade to 1.12.2 was submitted
as such, this patch can not be accepted as-is in scarthgap, please submit this patch (or a version bump) to wrynose first, then ping here for inclusion thanks a lot Jeremy On Wed May 20, 2026 at 11:04 AM CEST, Hugo Simeliere via lists.openembedded.org wrote: > From: "Hugo SIMELIERE (Schneider Electric)" > <[email protected]> > > Pick patch from [1] as 1.10.x upstream backport of [2] mentioned in Debian > report in [3]. > > [1] https://dev.gnupg.org/rC6da0152595aabb569c88c6571d2fdf68e112ee45 > [2] https://dev.gnupg.org/rC2d3d732c9bf87cc10729f69678dd9e6862f99fa3 > [3] https://security-tracker.debian.org/tracker/CVE-2026-41989 > > Signed-off-by: Hugo SIMELIERE (Schneider Electric) > <[email protected]> > Reviewed-by: Bruno VERNAY <[email protected]> > --- > .../libgcrypt/files/CVE-2026-41989.patch | 45 +++++++++++++++++++ > .../libgcrypt/libgcrypt_1.10.3.bb | 1 + > 2 files changed, 46 insertions(+) > create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2026-41989.patch > > diff --git a/meta/recipes-support/libgcrypt/files/CVE-2026-41989.patch > b/meta/recipes-support/libgcrypt/files/CVE-2026-41989.patch > new file mode 100644 > index 0000000000..d9bc2d1844 > --- /dev/null > +++ b/meta/recipes-support/libgcrypt/files/CVE-2026-41989.patch > @@ -0,0 +1,45 @@ > +From b5ee371e621435c18a9a70e4982741ab65a019e1 Mon Sep 17 00:00:00 2001 > +From: NIIBE Yutaka <[email protected]> > +Date: Fri, 10 Apr 2026 16:58:57 +0900 > +Subject: [PATCH] cipher:ecc: Fix decoding a point on Montgomery curve. > + > +* cipher/ecc-misc.c (_gcry_ecc_mont_decodepoint): Fix the padding > +mistake and add updating RAWMPILEN. > + > +-- > + > +Reported by Calif.io in collaboration with Claude and Anthropic > +Research. > + > +CVE: CVE-2026-41989 > +Upstream-Status: Backport > [https://dev.gnupg.org/rC6da0152595aabb569c88c6571d2fdf68e112ee45] > + > +GnuPG-bug-id: 8211 > +Fixes-commit: bbe15758c893dbf546416c1a6bccdad1ab000ad7 > +Suggested-by: Bronson Yen <[email protected]> > +Signed-off-by: NIIBE Yutaka <[email protected]> > +(cherry picked from commit 6da0152595aabb569c88c6571d2fdf68e112ee45) > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) > <[email protected]> > +--- > + cipher/ecc-misc.c | 5 ++++- > + 1 file changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/cipher/ecc-misc.c b/cipher/ecc-misc.c > +index 6796ba2c..fd429a08 100644 > +--- a/cipher/ecc-misc.c > ++++ b/cipher/ecc-misc.c > +@@ -438,7 +438,10 @@ _gcry_ecc_mont_decodepoint (gcry_mpi_t pk, mpi_ec_t ec, > mpi_point_t result) > + *--p = *buf++; > + > + if (rawmpilen < nbytes) > +- memset (rawmpi + nbytes - rawmpilen, 0, nbytes - rawmpilen); > ++ { > ++ memset (rawmpi + rawmpilen, 0, nbytes - rawmpilen); > ++ rawmpilen = nbytes; > ++ } > + } > + else > + { > +-- > +2.43.0 > + > diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.3.bb > b/meta/recipes-support/libgcrypt/libgcrypt_1.10.3.bb > index 3d49d586bb..44e4a39392 100644 > --- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.3.bb > +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.3.bb > @@ -26,6 +26,7 @@ SRC_URI = > "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ > file://no-bench-slope.patch \ > file://run-ptest \ > file://0001-Fix-building-error-with-O2-in-sysroot-path.patch \ > + file://CVE-2026-41989.patch \ > " > SRC_URI[sha256sum] = > "8b0870897ac5ac67ded568dcfadf45969cfa8a6beb0fd60af2a9eadc2a3272aa" >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238433): https://lists.openembedded.org/g/openembedded-core/message/238433 Mute This Topic: https://lists.openembedded.org/mt/119405008/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
