CMS (Cryptographic Message Syntax) parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted.
Signed-off-by: Roland Kovacs <[email protected]> --- .../gnupg/gnupg/CVE-2026-57062.patch | 43 +++++++++++++++++++ meta/recipes-support/gnupg/gnupg_2.5.20.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch new file mode 100644 index 0000000000..f298b6e9a8 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2026-57062.patch @@ -0,0 +1,43 @@ +From d586f50ee849c8cbeaea47b50c64446c1becbf9b Mon Sep 17 00:00:00 2001 +From: Werner Koch <[email protected]> +Date: Thu, 18 Jun 2026 10:51:34 +0200 +Subject: [PATCH] gpgsm: Require a minimum tag length for GCM decryption. + +* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen. +-- + +Reported-by: Thai Duong <[email protected]> +This is similar to OpenSSL's +CVE-id: CVE-2026-34182 + +CVE: CVE-2026-57062 +Upstream-Status: Backport [https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4] + +Signed-off-by: Roland Kovacs <[email protected]> +--- + sm/decrypt.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sm/decrypt.c b/sm/decrypt.c +index 20fb96060..92a33c6e6 100644 +--- a/sm/decrypt.c ++++ b/sm/decrypt.c +@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp) + } + if (DBG_CRYPTO) + log_printhex (authtag, authtaglen, "Authtag ...:"); +- rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); ++ if (authtaglen < 12) ++ { ++ log_info ("authentication tag is too short (%zu octets)\n", ++ authtaglen); ++ rc = gpg_error (GPG_ERR_CHECKSUM); ++ } ++ else ++ rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen); + xfree (authtag); + if (rc) + log_error ("data is not authentic: %s\n", gpg_strerror (rc)); +-- +2.34.1 + diff --git a/meta/recipes-support/gnupg/gnupg_2.5.20.bb b/meta/recipes-support/gnupg/gnupg_2.5.20.bb index a1a50e2384..e373265c48 100644 --- a/meta/recipes-support/gnupg/gnupg_2.5.20.bb +++ b/meta/recipes-support/gnupg/gnupg_2.5.20.bb @@ -20,6 +20,7 @@ SRCREV = "343d0cb8910441aa44c56ce8673a78e137040c87" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-use-pkgconfig-instead-of-npth-config.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ + file://CVE-2026-57062.patch \ " SRC_URI:append:class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ file://relocate.patch" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239890): https://lists.openembedded.org/g/openembedded-core/message/239890 Mute This Topic: https://lists.openembedded.org/mt/120046215/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
