Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch gnupg2 for CVE-2026-24882 [HIGH] - branch 3.0-dev" #15713

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/gnupg2/CVE-2026-24882.patch

@@ -0,0 +1,64 @@
+From b23aa406f96b773fc2c8cc2cf63451f59a435350 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 26 Jan 2026 11:13:44 +0100
+Subject: [PATCH] tpm: Fix possible buffer overflow in PKDECRYPT
+
+* tpm2d/tpm2.c (tpm2_ecc_decrypt): Bail out on too long CIPHERTEXT.
+(tpm2_rsa_decrypt): Ditto.
+--
+
+GnuPG-bug-id: 8045
+Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
+Reported-by: OpenAI Security Research
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/gpg/gnupg/commit/93fa34d9a346.patch
+---
+ tpm2d/tpm2.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index 3e908dd..cd0347c 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -917,10 +917,20 @@ tpm2_ecc_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   size_t len;
+   int ret;
+ 
++#if defined(TPM2_MAX_ECC_KEY_BYTES) /* Intel stack */
++  if (ciphertext_len > 2*TPM2_MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_ECC_KEY_BYTES)    /* IBM stack */
++  if (ciphertext_len > 2*MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   /* This isn't really a decryption per se.  The ciphertext actually
+    * contains an EC Point which we must multiply by the private key number.
+    *
+-   * The reason is to generate a diffe helman agreement on a shared
++   * The reason is to generate a diffie-hellman agreement on a shared
+    * point.  This shared point is then used to generate the per
+    * session encryption key.
+    */
+@@ -976,6 +986,16 @@ tpm2_rsa_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   TPM_HANDLE ah;
+   char *auth;
+ 
++#if defined(TPM2_MAX_RSA_KEY_BYTES)  /* Intel stack */
++  if (ciphertext_len > TPM2_MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_RSA_KEY_BYTES)     /* IBM stack */
++  if (ciphertext_len > MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   inScheme.scheme = TPM_ALG_RSAES;
+   /*
+    * apparent gcrypt error: occasionally rsa ciphertext will
+-- 
+2.45.4
+

SPECS/gnupg2/gnupg2.spec

@@ -1,13 +1,14 @@
 Summary:        OpenPGP standard implementation used for encrypted communication and data storage.
 Name:           gnupg2
 Version:        2.4.9
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD and CC0 and GPLv2+ and LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/Cryptography.
 URL:            https://gnupg.org/index.html
 Source0:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+Patch0:         CVE-2026-24882.patch
 BuildRequires:  zlib-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  readline-devel
@@ -104,6 +105,9 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2
 %defattr(-,root,root)
 
 %changelog
+* Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.4.9-2
+- Patch for CVE-2026-24882
+
 * Mon Jan 05 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.4.9-1
 - Auto-upgrade to 2.4.9 - for CVE-2025-68973
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -228,8 +228,8 @@ libksba-devel-1.6.4-1.azl3.aarch64.rpm
 libxslt-1.1.43-3.azl3.aarch64.rpm
 npth-1.6-4.azl3.aarch64.rpm
 pinentry-1.2.1-1.azl3.aarch64.rpm
-gnupg2-2.4.9-1.azl3.aarch64.rpm
-gnupg2-lang-2.4.9-1.azl3.aarch64.rpm
+gnupg2-2.4.9-2.azl3.aarch64.rpm
+gnupg2-lang-2.4.9-2.azl3.aarch64.rpm
 gpgme-1.23.2-2.azl3.aarch64.rpm
 azurelinux-repos-shared-3.0-5.azl3.noarch.rpm
 azurelinux-repos-3.0-5.azl3.noarch.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -228,8 +228,8 @@ libksba-devel-1.6.4-1.azl3.x86_64.rpm
 libxslt-1.1.43-3.azl3.x86_64.rpm
 npth-1.6-4.azl3.x86_64.rpm
 pinentry-1.2.1-1.azl3.x86_64.rpm
-gnupg2-2.4.9-1.azl3.x86_64.rpm
-gnupg2-lang-2.4.9-1.azl3.x86_64.rpm
+gnupg2-2.4.9-2.azl3.x86_64.rpm
+gnupg2-lang-2.4.9-2.azl3.x86_64.rpm
 gpgme-1.23.2-2.azl3.x86_64.rpm
 azurelinux-repos-shared-3.0-5.azl3.noarch.rpm
 azurelinux-repos-3.0-5.azl3.noarch.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -140,9 +140,9 @@ glibc-tools-2.38-18.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
-gnupg2-2.4.9-1.azl3.aarch64.rpm
-gnupg2-debuginfo-2.4.9-1.azl3.aarch64.rpm
-gnupg2-lang-2.4.9-1.azl3.aarch64.rpm
+gnupg2-2.4.9-2.azl3.aarch64.rpm
+gnupg2-debuginfo-2.4.9-2.azl3.aarch64.rpm
+gnupg2-lang-2.4.9-2.azl3.aarch64.rpm
 gperf-3.1-5.azl3.aarch64.rpm
 gperf-debuginfo-3.1-5.azl3.aarch64.rpm
 gpgme-1.23.2-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -147,9 +147,9 @@ glibc-tools-2.38-18.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
-gnupg2-2.4.9-1.azl3.x86_64.rpm
-gnupg2-debuginfo-2.4.9-1.azl3.x86_64.rpm
-gnupg2-lang-2.4.9-1.azl3.x86_64.rpm
+gnupg2-2.4.9-2.azl3.x86_64.rpm
+gnupg2-debuginfo-2.4.9-2.azl3.x86_64.rpm
+gnupg2-lang-2.4.9-2.azl3.x86_64.rpm
 gperf-3.1-5.azl3.x86_64.rpm
 gperf-debuginfo-3.1-5.azl3.x86_64.rpm
 gpgme-1.23.2-2.azl3.x86_64.rpm