Skip to content

[AutoPR- Security] Patch gnupg2 for CVE-2025-68973 [HIGH] #15414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
azurelinux-security wants to merge 6 commits into from
Closed

[AutoPR- Security] Patch gnupg2 for CVE-2025-68973 [HIGH] #15414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0bf4ab0
Patch gnupg2 for CVE-2025-68973
azurelinux-security Dec 29, 2025
32bf970
Updating spec file with p1
archana25-ms Dec 28, 2025
f726075
Merge branch 'fasttrack/3.0' into azure-autosec/gnupg2/3.0/1014208
archana25-ms Dec 30, 2025
2053159
Revert "Updating spec file with p1"
archana25-ms Dec 28, 2025
f498336
Updating spec file with p1
archana25-ms Dec 30, 2025
395c020
Merge branch 'fasttrack/3.0' into azure-autosec/gnupg2/3.0/1014208
Kanishk-Bansal Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions SPECS/gnupg2/CVE-2025-68973.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
From 33731863e1efaa7f3230a2a7335a87390f387444 Mon Sep 17 00:00:00 2001
From: AllSpark <[email protected]>
Date: Mon, 29 Dec 2025 16:57:49 +0000
Subject: [PATCH] gpg: Fix possible memory corruption in armor parser; add
filter len asserts in iobuf underflow; fix faulty double increment in
armor_filter loop. (Backport)

Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: AI Backport of https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9.patch
---
common/iobuf.c | 5 +++++
g10/armor.c | 6 +++---
2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/common/iobuf.c b/common/iobuf.c
index 748e693..27c826b 100644
--- a/common/iobuf.c
+++ b/common/iobuf.c
@@ -2043,6 +2043,7 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
rc = 0;
else
{
+ size_t tmplen;
/* If no buffered data and drain buffer has been setup, and drain
* buffer is largish, read data directly to drain buffer. */
if (a->d.len == 0
@@ -2055,8 +2056,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
a->no, a->subno, (ulong)len);

+ tmplen = len; /* Used to check for bugs in the filter. */
rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
a->e_d.buf, &len);
+ log_assert (len <= tmplen);
a->e_d.used = len;
len = 0;
}
@@ -2066,8 +2069,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
a->no, a->subno, (ulong)len);

+ tmplen = len;
rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
&a->d.buf[a->d.len], &len);
+ log_assert (len <= tmplen);
}
}
a->d.len += len;
diff --git a/g10/armor.c b/g10/armor.c
index 81af153..231d158 100644
--- a/g10/armor.c
+++ b/g10/armor.c
@@ -1301,9 +1301,9 @@ armor_filter( void *opaque, int control,
if( control == IOBUFCTRL_UNDERFLOW && afx->inp_bypass ) {
n = 0;
if( afx->buffer_len ) {
- /* Copy the data from AFX->BUFFER to BUF. */
- for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
- buf[n++] = afx->buffer[afx->buffer_pos++];
+ /* Copy the data from AFX->BUFFER to BUF. */
+ for(; n < size && afx->buffer_pos < afx->buffer_len;)
+ buf[n++] = afx->buffer[afx->buffer_pos++];
Copy link
Member

@mfrw mfrw Jan 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only the for loops n++ has been dropped.

  • Patch applies cleanly
  • Patch looks good w.r.t upstream.
    Signed-Off By: @mfrw

if( afx->buffer_pos >= afx->buffer_len )
afx->buffer_len = 0;
}
--
2.45.4

8 changes: 6 additions & 2 deletions SPECS/gnupg2/gnupg2.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
Summary: OpenPGP standard implementation used for encrypted communication and data storage.
Name: gnupg2
Version: 2.4.7
Release: 1%{?dist}
Release: 2%{?dist}
License: BSD and CC0 and GPLv2+ and LGPLv2+
Vendor: Microsoft Corporation
Distribution: Azure Linux
Group: Applications/Cryptography.
URL: https://gnupg.org/index.html
Source0: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
Patch0: CVE-2025-68973.patch
BuildRequires: zlib-devel
BuildRequires: bzip2-devel
BuildRequires: readline-devel
Expand Down Expand Up @@ -48,7 +49,7 @@ Requires: %{name} = %{version}-%{release}
These are the additional language files of gnupg2

%prep
%autosetup -n gnupg-%{version}
%autosetup -n gnupg-%{version} -p1

%build
# Prevent GnuPG from using keyboxd for storing keys.
Expand Down Expand Up @@ -105,6 +106,9 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2
%defattr(-,root,root)

%changelog
* Mon Dec 29 2025 Azure Linux Security Servicing Account <[email protected]> - 2.4.7-2
- Patch for CVE-2025-68973

* Mon Jun 23 2025 Kavya Sree Kaitepalli <[email protected]> - 2.4.7-1
- Upgrade to version 2.4.7

Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,8 +228,8 @@ libksba-devel-1.6.4-1.azl3.aarch64.rpm
libxslt-1.1.43-3.azl3.aarch64.rpm
npth-1.6-4.azl3.aarch64.rpm
pinentry-1.2.1-1.azl3.aarch64.rpm
gnupg2-2.4.7-1.azl3.aarch64.rpm
gnupg2-lang-2.4.7-1.azl3.aarch64.rpm
gnupg2-2.4.7-2.azl3.aarch64.rpm
gnupg2-lang-2.4.7-2.azl3.aarch64.rpm
gpgme-1.23.2-2.azl3.aarch64.rpm
azurelinux-repos-shared-3.0-5.azl3.noarch.rpm
azurelinux-repos-3.0-5.azl3.noarch.rpm
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,8 +228,8 @@ libksba-devel-1.6.4-1.azl3.x86_64.rpm
libxslt-1.1.43-3.azl3.x86_64.rpm
npth-1.6-4.azl3.x86_64.rpm
pinentry-1.2.1-1.azl3.x86_64.rpm
gnupg2-2.4.7-1.azl3.x86_64.rpm
gnupg2-lang-2.4.7-1.azl3.x86_64.rpm
gnupg2-2.4.7-2.azl3.x86_64.rpm
gnupg2-lang-2.4.7-2.azl3.x86_64.rpm
gpgme-1.23.2-2.azl3.x86_64.rpm
azurelinux-repos-shared-3.0-5.azl3.noarch.rpm
azurelinux-repos-3.0-5.azl3.noarch.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,9 +140,9 @@ glibc-tools-2.38-16.azl3.aarch64.rpm
gmp-6.3.0-1.azl3.aarch64.rpm
gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm
gmp-devel-6.3.0-1.azl3.aarch64.rpm
gnupg2-2.4.7-1.azl3.aarch64.rpm
gnupg2-debuginfo-2.4.7-1.azl3.aarch64.rpm
gnupg2-lang-2.4.7-1.azl3.aarch64.rpm
gnupg2-2.4.7-2.azl3.aarch64.rpm
gnupg2-debuginfo-2.4.7-2.azl3.aarch64.rpm
gnupg2-lang-2.4.7-2.azl3.aarch64.rpm
gperf-3.1-5.azl3.aarch64.rpm
gperf-debuginfo-3.1-5.azl3.aarch64.rpm
gpgme-1.23.2-2.azl3.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,9 +147,9 @@ glibc-tools-2.38-16.azl3.x86_64.rpm
gmp-6.3.0-1.azl3.x86_64.rpm
gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm
gmp-devel-6.3.0-1.azl3.x86_64.rpm
gnupg2-2.4.7-1.azl3.x86_64.rpm
gnupg2-debuginfo-2.4.7-1.azl3.x86_64.rpm
gnupg2-lang-2.4.7-1.azl3.x86_64.rpm
gnupg2-2.4.7-2.azl3.x86_64.rpm
gnupg2-debuginfo-2.4.7-2.azl3.x86_64.rpm
gnupg2-lang-2.4.7-2.azl3.x86_64.rpm
gperf-3.1-5.azl3.x86_64.rpm
gperf-debuginfo-3.1-5.azl3.x86_64.rpm
gpgme-1.23.2-2.azl3.x86_64.rpm
Expand Down
Loading