Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch gnupg2 for CVE-2026-24882, CVE-2025-68973 [HIGH] - branch main" #15965

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: 3 people

SPECS/gnupg2/CVE-2025-68973.patch

@@ -0,0 +1,110 @@
+From bc8e94b03af106b7f481abb36d8a8d5fdf723c77 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 23 Oct 2025 11:36:04 +0200
+Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.
+
+* g10/armor.c (armor_filter): Fix faulty double increment.
+
+* common/iobuf.c (underflow_target): Assert that the filter
+implementations behave well.
+--
+
+This fixes a bug in a code path which can only be reached with special
+crafted input data and would then error out at an upper layer due to
+corrupt input (every second byte in the buffer is unitialized
+garbage).  No fuzzing has yet hit this case and we don't have a test
+case for this code path.  However memory corruption can never be
+tolerated as it always has the protential for remode code execution.
+
+Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a
+Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
+which fixed
+Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f
+Backported-from-master: 115d138ba599328005c5321c0ef9f00355838ca9
+
+The bug was introduced on 1999-01-07 by me:
+* armor.c: Rewrote large parts.
+which I fixed on 1999-03-02 but missed to fix the other case:
+* armor.c (armor_filter): Fixed armor bypassing.
+
+Below is base64+gzipped test data which can be used with valgrind to
+show access to uninitalized memory in write(2) in the unpatched code.
+
+--8<---------------cut here---------------start------------->8---
+H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze
+a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
+gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA==
+--8<---------------cut here---------------end--------------->8---
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/gpg/gnupg/commit/4ecc5122f20e10c17172ed72f4fa46c784b5fb48.patch
+---
+ common/iobuf.c | 8 +++++++-
+ g10/armor.c    | 4 ++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/common/iobuf.c b/common/iobuf.c
+index 86bb296..368055b 100644
+--- a/common/iobuf.c
++++ b/common/iobuf.c
+@@ -1933,6 +1933,8 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	rc = 0;
+       else
+       {
++        size_t tmplen;
++
+ 	/* If no buffered data and drain buffer has been setup, and drain
+ 	 * buffer is largish, read data directly to drain buffer. */
+ 	if (a->d.len == 0
+@@ -1945,8 +1947,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
+ 			 a->no, a->subno, (ulong)len);
+ 
+-	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
++            tmplen = len;  /* Used to check for bugs in the filter.  */
++            rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			    a->e_d.buf, &len);
++            log_assert (len <= tmplen);
+ 	    a->e_d.used = len;
+ 	    len = 0;
+ 	  }
+@@ -1956,8 +1960,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
+ 			 a->no, a->subno, (ulong)len);
+ 
++            tmplen = len;  /* Used to check for bugs in the filter.  */
+ 	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			    &a->d.buf[a->d.len], &len);
++            log_assert (len <= tmplen);
+ 	  }
+       }
+       a->d.len += len;
+diff --git a/g10/armor.c b/g10/armor.c
+index b47c04a..39294e2 100644
+--- a/g10/armor.c
++++ b/g10/armor.c
+@@ -1302,8 +1302,8 @@ armor_filter( void *opaque, int control,
+ 	n = 0;
+ 	if( afx->buffer_len ) {
+             /* Copy the data from AFX->BUFFER to BUF.  */
+-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
+-		buf[n++] = afx->buffer[afx->buffer_pos++];
++            for(; n < size && afx->buffer_pos < afx->buffer_len;)
++                buf[n++] = afx->buffer[afx->buffer_pos++];
+ 	    if( afx->buffer_pos >= afx->buffer_len )
+ 		afx->buffer_len = 0;
+ 	}
+-- 
+2.45.4
+

SPECS/gnupg2/CVE-2026-24882.patch

@@ -0,0 +1,64 @@
+From faaf8b325791cbe9d04a2752f55831152181bea4 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 26 Jan 2026 11:13:44 +0100
+Subject: [PATCH] tpm: Fix possible buffer overflow in PKDECRYPT
+
+* tpm2d/tpm2.c (tpm2_ecc_decrypt): Bail out on too long CIPHERTEXT.
+(tpm2_rsa_decrypt): Ditto.
+--
+
+GnuPG-bug-id: 8045
+Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
+Reported-by: OpenAI Security Research
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/gpg/gnupg/commit/93fa34d9a346.patch
+---
+ tpm2d/tpm2.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index 3e908dd..cd0347c 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -917,10 +917,20 @@ tpm2_ecc_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   size_t len;
+   int ret;
+ 
++#if defined(TPM2_MAX_ECC_KEY_BYTES) /* Intel stack */
++  if (ciphertext_len > 2*TPM2_MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_ECC_KEY_BYTES)    /* IBM stack */
++  if (ciphertext_len > 2*MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   /* This isn't really a decryption per se.  The ciphertext actually
+    * contains an EC Point which we must multiply by the private key number.
+    *
+-   * The reason is to generate a diffe helman agreement on a shared
++   * The reason is to generate a diffie-hellman agreement on a shared
+    * point.  This shared point is then used to generate the per
+    * session encryption key.
+    */
+@@ -976,6 +986,16 @@ tpm2_rsa_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   TPM_HANDLE ah;
+   char *auth;
+ 
++#if defined(TPM2_MAX_RSA_KEY_BYTES)  /* Intel stack */
++  if (ciphertext_len > TPM2_MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_RSA_KEY_BYTES)     /* IBM stack */
++  if (ciphertext_len > MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   inScheme.scheme = TPM_ALG_RSAES;
+   /*
+    * apparent gcrypt error: occasionally rsa ciphertext will
+-- 
+2.45.4
+

SPECS/gnupg2/gnupg2.spec

@@ -1,13 +1,15 @@
 Summary:        OpenPGP standard implementation used for encrypted communication and data storage.
 Name:           gnupg2
 Version:        2.4.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD and CC0 and GPLv2+ and LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Cryptography.
 URL:            https://gnupg.org/index.html
 Source0:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+Patch0:         CVE-2025-68973.patch
+Patch1:         CVE-2026-24882.patch
 BuildRequires:  zlib-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  readline-devel
@@ -48,7 +50,7 @@ Requires: %{name} = %{version}-%{release}
 These are the additional language files of gnupg2
 
 %prep
-%autosetup -n gnupg-%{version}
+%autosetup -p1 -n gnupg-%{version}
 
 %build
 %configure \
@@ -89,6 +91,9 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2
 %defattr(-,root,root)
 
 %changelog
+* Tue Feb 24 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.4.0-3
+- Patch for CVE-2026-24882, CVE-2025-68973
+
 * Tue Mar 21 2023 Muhammad Falak <mwani@microsoft.com> - 2.4.0-2
 - Add correct version for libgpg-error-devel as a BR
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -221,8 +221,8 @@ libksba-devel-1.6.3-1.cm2.aarch64.rpm
 libxslt-1.1.34-10.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm
 pinentry-1.2.0-1.cm2.aarch64.rpm
-gnupg2-2.4.0-2.cm2.aarch64.rpm
-gnupg2-lang-2.4.0-2.cm2.aarch64.rpm
+gnupg2-2.4.0-3.cm2.aarch64.rpm
+gnupg2-lang-2.4.0-3.cm2.aarch64.rpm
 gpgme-1.16.0-2.cm2.aarch64.rpm
 mariner-repos-shared-2.0-9.cm2.noarch.rpm
 mariner-repos-2.0-9.cm2.noarch.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -221,8 +221,8 @@ libksba-devel-1.6.3-1.cm2.x86_64.rpm
 libxslt-1.1.34-10.cm2.x86_64.rpm
 npth-1.6-4.cm2.x86_64.rpm
 pinentry-1.2.0-1.cm2.x86_64.rpm
-gnupg2-2.4.0-2.cm2.x86_64.rpm
-gnupg2-lang-2.4.0-2.cm2.x86_64.rpm
+gnupg2-2.4.0-3.cm2.x86_64.rpm
+gnupg2-lang-2.4.0-3.cm2.x86_64.rpm
 gpgme-1.16.0-2.cm2.x86_64.rpm
 mariner-repos-shared-2.0-9.cm2.noarch.rpm
 mariner-repos-2.0-9.cm2.noarch.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -118,9 +118,9 @@ glibc-tools-2.35-10.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-debuginfo-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
-gnupg2-2.4.0-2.cm2.aarch64.rpm
-gnupg2-debuginfo-2.4.0-2.cm2.aarch64.rpm
-gnupg2-lang-2.4.0-2.cm2.aarch64.rpm
+gnupg2-2.4.0-3.cm2.aarch64.rpm
+gnupg2-debuginfo-2.4.0-3.cm2.aarch64.rpm
+gnupg2-lang-2.4.0-3.cm2.aarch64.rpm
 gperf-3.1-5.cm2.aarch64.rpm
 gperf-debuginfo-3.1-5.cm2.aarch64.rpm
 gpgme-1.16.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -123,9 +123,9 @@ glibc-tools-2.35-10.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-debuginfo-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm
-gnupg2-2.4.0-2.cm2.x86_64.rpm
-gnupg2-debuginfo-2.4.0-2.cm2.x86_64.rpm
-gnupg2-lang-2.4.0-2.cm2.x86_64.rpm
+gnupg2-2.4.0-3.cm2.x86_64.rpm
+gnupg2-debuginfo-2.4.0-3.cm2.x86_64.rpm
+gnupg2-lang-2.4.0-3.cm2.x86_64.rpm
 gperf-3.1-5.cm2.x86_64.rpm
 gperf-debuginfo-3.1-5.cm2.x86_64.rpm
 gpgme-1.16.0-2.cm2.x86_64.rpm