File gnupg-CVE-2025-30258-Fix-another-regression-due-to-the-T7547-fix.patch of Package gpg2.41297
From 15381ec004cf8434d9e5c5ed6d0fe4425e0c0b43 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 2 May 2025 11:11:05 +0200
Subject: [PATCH 5/6] gpg: Fix another regression due to the T7547 fix.
* g10/getkey.c (get_pubkey_for_sig): Keep a requested
PUBKEY_USAGE_CERT.
(finish_lookup): For correctness in future use cases allow
PUBKEY_USAGE_CERT to also trigger verify mode.
--
The case here was that a cert-only primary key was removed with
export-clean.
GnuPG-bug-id: 7583
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
g10/getkey.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Index: gnupg-2.2.27/g10/getkey.c
===================================================================
--- gnupg-2.2.27.orig/g10/getkey.c
+++ gnupg-2.2.27/g10/getkey.c
@@ -448,8 +448,10 @@ get_pubkey_for_sig (ctrl_t ctrl, PKT_pub
/* Make sure to request only keys cabable of signing. This makes
* sure that a subkey w/o a valid backsig or with bad usage flags
* will be skipped. We also request the verification mode so that
- * expired and reoked keys are returned. */
- pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY);
+ * expired and revoked keys are returned. We keep only a requested
+ * CERT usage in PK for the sake of key signatures. */
+ pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY
+ | (pk->req_usage & PUBKEY_USAGE_CERT));
/* First try the ISSUER_FPR info. */
fpr = issuer_fpr_raw (sig, &fprlen);
@@ -3541,7 +3543,7 @@ finish_lookup (kbnode_t keyblock, unsign
/* The verify mode is used to change the behaviour so that we can
* return an expired or revoked key for signature verification. */
verify_mode = ((req_usage & PUBKEY_USAGE_VERIFY)
- && (req_usage & PUBKEY_USAGE_SIG));
+ && (req_usage & (PUBKEY_USAGE_CERT|PUBKEY_USAGE_SIG)));
#define USAGE_MASK (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
req_usage &= USAGE_MASK;
