microsoft · azurelinux-security · Dec 29, 2025 · Dec 28, 2025 · Dec 30, 2025 · Dec 28, 2025
@@ -0,0 +1,68 @@
+From 33731863e1efaa7f3230a2a7335a87390f387444 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 29 Dec 2025 16:57:49 +0000
+Subject: [PATCH] gpg: Fix possible memory corruption in armor parser; add
+ filter len asserts in iobuf underflow; fix faulty double increment in
+ armor_filter loop. (Backport)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9.patch
+---
+ common/iobuf.c | 5 +++++
+ g10/armor.c    | 6 +++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/common/iobuf.c b/common/iobuf.c
+index 748e693..27c826b 100644
+--- a/common/iobuf.c
++++ b/common/iobuf.c
+@@ -2043,6 +2043,7 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	rc = 0;
+       else
+       {
++	size_t tmplen;
+ 	/* If no buffered data and drain buffer has been setup, and drain
+ 	 * buffer is largish, read data directly to drain buffer. */
+ 	if (a->d.len == 0
+@@ -2055,8 +2056,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
+ 			 a->no, a->subno, (ulong)len);
+
++	    tmplen = len;  /* Used to check for bugs in the filter.  */
+ 	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			    a->e_d.buf, &len);
++	    log_assert (len <= tmplen);
+ 	    a->e_d.used = len;
+ 	    len = 0;
+ 	  }
+@@ -2066,8 +2069,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
+ 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
+ 			 a->no, a->subno, (ulong)len);
+
++	    tmplen = len;
+ 	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+ 			    &a->d.buf[a->d.len], &len);
++	    log_assert (len <= tmplen);
+ 	  }
+       }
+       a->d.len += len;
+diff --git a/g10/armor.c b/g10/armor.c
+index 81af153..231d158 100644
+--- a/g10/armor.c
++++ b/g10/armor.c
+@@ -1301,9 +1301,9 @@ armor_filter( void *opaque, int control,
+     if( control == IOBUFCTRL_UNDERFLOW && afx->inp_bypass ) {
+ 	n = 0;
+ 	if( afx->buffer_len ) {
+-            /* Copy the data from AFX->BUFFER to BUF.  */
+-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
+-		buf[n++] = afx->buffer[afx->buffer_pos++];
++                /* Copy the data from AFX->BUFFER to BUF.  */
++            for(; n < size && afx->buffer_pos < afx->buffer_len;)
++                buf[n++] = afx->buffer[afx->buffer_pos++];
+ 	    if( afx->buffer_pos >= afx->buffer_len )
+ 		afx->buffer_len = 0;
+ 	}
+-- 
+2.45.4
+
@@ -1,13 +1,14 @@
 Summary:        OpenPGP standard implementation used for encrypted communication and data storage.
 Name:           gnupg2
 Version:        2.4.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD and CC0 and GPLv2+ and LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/Cryptography.
 URL:            https://gnupg.org/index.html
 Source0:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+Patch0:         CVE-2025-68973.patch
 BuildRequires:  zlib-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  readline-devel
@@ -48,7 +49,7 @@ Requires: %{name} = %{version}-%{release}
 These are the additional language files of gnupg2
 
 %prep
-%autosetup -n gnupg-%{version}
+%autosetup -n gnupg-%{version} -p1
 
 %build
 # Prevent GnuPG from using keyboxd for storing keys.
@@ -105,6 +106,9 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2
 %defattr(-,root,root)
 
 %changelog
+* Mon Dec 29 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.4.7-2
+- Patch for CVE-2025-68973
+
 * Mon Jun 23 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.4.7-1
 - Upgrade to version 2.4.7
 

@@ -228,8 +228,8 @@ libksba-devel-1.6.4-1.azl3.aarch64.rpm
 libxslt-1.1.43-3.azl3.aarch64.rpm
 npth-1.6-4.azl3.aarch64.rpm
 pinentry-1.2.1-1.azl3.aarch64.rpm
-gnupg2-2.4.7-1.azl3.aarch64.rpm
-gnupg2-lang-2.4.7-1.azl3.aarch64.rpm
+gnupg2-2.4.7-2.azl3.aarch64.rpm
+gnupg2-lang-2.4.7-2.azl3.aarch64.rpm
 gpgme-1.23.2-2.azl3.aarch64.rpm
 azurelinux-repos-shared-3.0-5.azl3.noarch.rpm
 azurelinux-repos-3.0-5.azl3.noarch.rpm

@@ -228,8 +228,8 @@ libksba-devel-1.6.4-1.azl3.x86_64.rpm
 libxslt-1.1.43-3.azl3.x86_64.rpm
 npth-1.6-4.azl3.x86_64.rpm
 pinentry-1.2.1-1.azl3.x86_64.rpm
-gnupg2-2.4.7-1.azl3.x86_64.rpm
-gnupg2-lang-2.4.7-1.azl3.x86_64.rpm
+gnupg2-2.4.7-2.azl3.x86_64.rpm
+gnupg2-lang-2.4.7-2.azl3.x86_64.rpm
 gpgme-1.23.2-2.azl3.x86_64.rpm
 azurelinux-repos-shared-3.0-5.azl3.noarch.rpm
 azurelinux-repos-3.0-5.azl3.noarch.rpm

@@ -140,9 +140,9 @@ glibc-tools-2.38-16.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
-gnupg2-2.4.7-1.azl3.aarch64.rpm
-gnupg2-debuginfo-2.4.7-1.azl3.aarch64.rpm
-gnupg2-lang-2.4.7-1.azl3.aarch64.rpm
+gnupg2-2.4.7-2.azl3.aarch64.rpm
+gnupg2-debuginfo-2.4.7-2.azl3.aarch64.rpm
+gnupg2-lang-2.4.7-2.azl3.aarch64.rpm
 gperf-3.1-5.azl3.aarch64.rpm
 gperf-debuginfo-3.1-5.azl3.aarch64.rpm
 gpgme-1.23.2-2.azl3.aarch64.rpm

@@ -147,9 +147,9 @@ glibc-tools-2.38-16.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
-gnupg2-2.4.7-1.azl3.x86_64.rpm
-gnupg2-debuginfo-2.4.7-1.azl3.x86_64.rpm
-gnupg2-lang-2.4.7-1.azl3.x86_64.rpm
+gnupg2-2.4.7-2.azl3.x86_64.rpm
+gnupg2-debuginfo-2.4.7-2.azl3.x86_64.rpm
+gnupg2-lang-2.4.7-2.azl3.x86_64.rpm
 gperf-3.1-5.azl3.x86_64.rpm
 gperf-debuginfo-3.1-5.azl3.x86_64.rpm
 gpgme-1.23.2-2.azl3.x86_64.rpm