CVS commit: pkgsrc/security/gnupg2

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Jun 22 20:08:57 UTC 2026

Modified Files:
        pkgsrc/security/gnupg2: Makefile distinfo
Added Files:
        pkgsrc/security/gnupg2/patches: patch-sm_decrypt.c

Log Message:
gnupg2: add upstream patch for CVE-2026-34182

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.177 -r1.178 pkgsrc/security/gnupg2/Makefile
cvs rdiff -u -r1.97 -r1.98 pkgsrc/security/gnupg2/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnupg2/patches/patch-sm_decrypt.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnupg2/Makefile
diff -u pkgsrc/security/gnupg2/Makefile:1.177 pkgsrc/security/gnupg2/Makefile:1.178
--- pkgsrc/security/gnupg2/Makefile:1.177       Thu May 14 16:41:59 2026
+++ pkgsrc/security/gnupg2/Makefile     Mon Jun 22 20:08:57 2026
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.177 2026/05/14 16:41:59 ryoon Exp $
+# $NetBSD: Makefile,v 1.178 2026/06/22 20:08:57 wiz Exp $
 
 DISTNAME=      gnupg-2.5.20
 PKGNAME=       ${DISTNAME:S/gnupg-/gnupg2-/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GNUPG:=gnupg/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/security/gnupg2/distinfo
diff -u pkgsrc/security/gnupg2/distinfo:1.97 pkgsrc/security/gnupg2/distinfo:1.98
--- pkgsrc/security/gnupg2/distinfo:1.97        Thu May 14 12:38:11 2026
+++ pkgsrc/security/gnupg2/distinfo     Mon Jun 22 20:08:57 2026
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.97 2026/05/14 12:38:11 adam Exp $
+$NetBSD: distinfo,v 1.98 2026/06/22 20:08:57 wiz Exp $
 
 BLAKE2s (gnupg-2.5.20.tar.bz2) = 5f30632261ae8febc1b4de3a7189a1c24effa31b1e995ff61087becdb7bf01f0
 SHA512 (gnupg-2.5.20.tar.bz2) = 73e5f3020271069421c220871caffcb6ec05c52a8e12d8dcbd214ce2b14a2b22ce0030d9e1fedf25c60ec1077a33630b0a6bd1cc1043fbbaf7083b998113f90f
 Size (gnupg-2.5.20.tar.bz2) = 8327674 bytes
 SHA1 (patch-common_sysutils.c) = 569c12e21172c1521284922244b2f4f361c945d6
+SHA1 (patch-sm_decrypt.c) = f39c64f78fae05f8caea11102b28300bbe4d6c80

Added files:

Index: pkgsrc/security/gnupg2/patches/patch-sm_decrypt.c
diff -u /dev/null pkgsrc/security/gnupg2/patches/patch-sm_decrypt.c:1.1
--- /dev/null   Mon Jun 22 20:08:57 2026
+++ pkgsrc/security/gnupg2/patches/patch-sm_decrypt.c   Mon Jun 22 20:08:57 2026
@@ -0,0 +1,30 @@
+$NetBSD: patch-sm_decrypt.c,v 1.1 2026/06/22 20:08:57 wiz Exp $
+
+gpgsm: Require a minimum tag length for GCM decryption.
+* sm/decrypt.c (gpgsm_decrypt): Require a minimum authtaglen.
+--
+
+Reported-by: Thai Duong <thai%calif.io@localhost>
+This is similar to OpenSSL's
+CVE-id: CVE-2026-34182
+
+https://github.com/gpg/gnupg/commit/4c7e68cf3d335328821bdbb70db309a60d0e4fd4
+
+--- sm/decrypt.c.orig  2026-05-13 12:33:59.000000000 +0000
++++ sm/decrypt.c
+@@ -1447,7 +1447,14 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t
+                 }
+               if (DBG_CRYPTO)
+                 log_printhex (authtag, authtaglen, "Authtag ...:");
+-              rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
++              if (authtaglen < 12)
++                {
++                  log_info ("authentication tag is too short (%zu octets)\n",
++                            authtaglen);
++                  rc = gpg_error (GPG_ERR_CHECKSUM);
++                }
++              else
++                rc = gcry_cipher_checktag (dfparm.hd, authtag, authtaglen);
+               xfree (authtag);
+               if (rc)
+                 log_error ("data is not authentic: %s\n", gpg_strerror (rc));