git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Yogita Urade <yogita.urade@windriver.com>
	Tue, 22 Jul 2025 10:46:29 +0000 (16:16 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Tue, 22 Jul 2025 15:43:25 +0000 (08:43 -0700)
commit	467081219407cd30bcc9e575bedcb127b6bcea65
tree	e3213ab3874de8fe667c1f7f88d3082ef5d7dbe5	tree \| snapshot
parent	c31dec7b32fe34fafd61dd593a2884eee13084fb	commit \| diff

gnupg: fix CVE-2025-30258

In GnuPG before 2.5.5, if a user chooses to import a certificate
with certain crafted subkey data that lacks a valid backsig or
that has incorrect usage flags, the user loses the ability to
verify signatures made from certain other signing keys, aka a
"verification DoS."

CVE-2025-30258-0002 is the dependent commit while rest
are CVE fixes.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-30258

Upstream patches:
https://dev.gnupg.org/rG25d748c3dfc0102f9e54afea59ff26b3969bd8c1
https://dev.gnupg.org/rG9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f
https://dev.gnupg.org/rGda0164efc7f32013bc24d97b9afa9f8d67c318bb
https://dev.gnupg.org/rG1e581619bf5315957f2be06b3b1a7f513304c126
https://dev.gnupg.org/rG4be25979a6b3e2a79d7c9667b07db8b09fb046e9

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0001.patch	[new file with mode: 0644]	blob
meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0002.patch	[new file with mode: 0644]	blob
meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0003.patch	[new file with mode: 0644]	blob
meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0004.patch	[new file with mode: 0644]	blob
meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0005.patch	[new file with mode: 0644]	blob
meta/recipes-support/gnupg/gnupg_2.3.7.bb		diff \| blob \| blame \| history