[LOW] Patch gnupg2 for CVE-2025-30258

[Ratiranjan5]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch gnupg2 for CVE-2025-30258
Patch modified: Yes

• Upstream patch is applied manually as hunk failed.
  i. Upstream uses get_pubkey_byfpr() and check_signature(), while our code base uses get_pubkey_byfprint() and
  check_signature2() respectively.
  ii. check_signature2() now has 11 parameters (the last one is kbnode_t *r_keyblock introduced by upstream
  changes). Adding an extra NULL ensures proper alignment with the function definition and prevents compilation errors.
  iii. Adjustments were made to align with our existing function names and argument structure.

• Excluded the NEWS file from the upstream patch because it references version 2.5.5, while our package is based on
  gnupg-2.4.7.

Upstream Patch reference:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=48978ccb4e20866472ef18436a32744350a65158

Change Log

• new file: SPECS/gnupg2/CVE-2025-30258.patch
• modified: SPECS/gnupg2/gnupg2.spec

Does this affect the toolchain?

YES

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-30258

Test Methodology

• Local Build: Patch applies cleanly.

• Build Log:
  gnupg2-2.4.7-2.azl3.src.rpm.log

• Check Installation

• Check Uninstallation

[suresh-thelkar]

It seems you also need to take the following commit and backport it which makes the fix complete for the CVE and handles edge cases as well. Here is the upstream patch
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blobdiff;f=g10/getkey.c;h=e93c0a90449c667435fb8deb2b87d678f669327e;hp=21f996a5b3ef8c726516104986295bcc78d56afc;hb=d3d7713c1799754160260cb350309dd183b397f5;hpb=25d48663f9ed4b21b24b89abed71201ef0604657

[suresh-thelkar]

I have verified the backporting changes -

• Upstream before patch: single function check_signature handling full signature verification.
• Azure baseline: wrapper int check_signature(ctrl, PKT_signature*, gcry_md_hd_t) calling core gpg_error_t check_signature2(..., extrahash, forced_pk, r_expiredate, r_expired, r_revoked, r_pk). Upstream patch adds kbnode_t *r_keyblock to the end of parameter list; azure adds it to check_signature2 (core) and adjusts wrapper to pass NULL.

The azure patch fully incorporates upstream’s new r_keyblock flow by adapting the core verification function (check_signature2) instead of upstream’s monolithic check_signature, with correct propagation, cleanup, and re-verification logic. No upstream functional changes related to the DoS fix are absent.

As this is toolchain pkg, please make sure to run the full build and verify all the ptests.

[0xba1a]

@Ratiranjan5 @Kanishk-Bansal as mentioned by Suresh, can we run full-build once?

[Ratiranjan5]

@Ratiranjan5 @Kanishk-Bansal as mentioned by Suresh, can we run full-build once?

full build