File gnupg-CVE-2025-30258-Remove-a-signature-check-function-wrapper.patch of Package gpg2.41297
From 71b32f85a9fc877d1e1528a5392317b451c3b379 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 20 Feb 2025 14:50:20 +0100
Subject: [PATCH 2/6] gpg: Remove a signature check function wrapper.
* g10/sig-check.c (check_signature2): Rename to
(check_signature): this and remove the old wrapper. Adjust all
callers.
Signed-off-by: Lucas Mulling <lucas.mulling@suse.com>
---
g10/mainproc.c | 13 +++++--------
g10/packet.h | 6 +-----
g10/sig-check.c | 23 +++++++----------------
3 files changed, 13 insertions(+), 29 deletions(-)
Index: gnupg-2.2.27/g10/mainproc.c
===================================================================
--- gnupg-2.2.27.orig/g10/mainproc.c
+++ gnupg-2.2.27/g10/mainproc.c
@@ -1165,19 +1165,17 @@ do_check_sig (CTX c, kbnode_t node,
/* We only get here if we are checking the signature of a binary
(0x00) or text document (0x01). */
- rc = check_signature2 (c->ctrl, sig, md,
- forced_pk,
- NULL, is_expkey, is_revkey, r_pk);
+ rc = check_signature (c->ctrl, sig, md,
+ forced_pk, NULL, is_expkey, is_revkey, r_pk);
if (! rc)
md_good = md;
else if (gpg_err_code (rc) == GPG_ERR_BAD_SIGNATURE && md2)
{
PKT_public_key *pk2;
- rc = check_signature2 (c->ctrl, sig, md2,
- forced_pk,
- NULL, is_expkey, is_revkey,
- r_pk? &pk2 : NULL);
+ rc = check_signature (c->ctrl, sig, md2,
+ forced_pk, NULL, is_expkey, is_revkey,
+ r_pk? &pk2 : NULL);
if (!rc)
{
md_good = md2;
Index: gnupg-2.2.27/g10/packet.h
===================================================================
--- gnupg-2.2.27.orig/g10/packet.h
+++ gnupg-2.2.27/g10/packet.h
@@ -882,16 +882,12 @@ int cmp_user_ids( PKT_user_id *a, PKT_us
/*-- sig-check.c --*/
-/* Check a signature. This is shorthand for check_signature2 with
- the unnamed arguments passed as NULL. */
-int check_signature (ctrl_t ctrl, PKT_signature *sig, gcry_md_hd_t digest);
-
/* Check a signature. Looks up the public key from the key db. (If
* R_PK is not NULL, it is stored at RET_PK.) DIGEST contains a
* valid hash context that already includes the signed data. This
* function adds the relevant meta-data to the hash before finalizing
* it and verifying the signature. FOCRED_PK is usually NULL. */
-gpg_error_t check_signature2 (ctrl_t ctrl,
+gpg_error_t check_signature (ctrl_t ctrl,
PKT_signature *sig, gcry_md_hd_t digest,
PKT_public_key *forced_pk,
u32 *r_expiredate, int *r_expired, int *r_revoked,
Index: gnupg-2.2.27/g10/sig-check.c
===================================================================
--- gnupg-2.2.27.orig/g10/sig-check.c
+++ gnupg-2.2.27/g10/sig-check.c
@@ -63,16 +63,6 @@ sig_check_dump_stats (void)
cache_stats.goodsig, cache_stats.badsig);
}
-
-/* Check a signature. This is shorthand for check_signature2 with
- the unnamed arguments passed as NULL. */
-int
-check_signature (ctrl_t ctrl, PKT_signature *sig, gcry_md_hd_t digest)
-{
- return check_signature2 (ctrl, sig, digest, NULL, NULL, NULL, NULL, NULL);
-}
-
-
/* Check a signature.
*
* Looks up the public key that created the signature (SIG->KEYID)
@@ -114,11 +104,11 @@ check_signature (ctrl_t ctrl, PKT_signat
*
* Returns 0 on success. An error code otherwise. */
gpg_error_t
-check_signature2 (ctrl_t ctrl,
- PKT_signature *sig, gcry_md_hd_t digest,
- PKT_public_key *forced_pk,
- u32 *r_expiredate,
- int *r_expired, int *r_revoked, PKT_public_key **r_pk)
+check_signature (ctrl_t ctrl,
+ PKT_signature *sig, gcry_md_hd_t digest,
+ PKT_public_key *forced_pk,
+ u32 *r_expiredate, int *r_expired, int *r_revoked,
+ PKT_public_key **r_pk)
{
int rc=0;
PKT_public_key *pk;
@@ -721,7 +711,8 @@ check_revocation_keys (ctrl_t ctrl, PKT_
hash_public_key(md,pk);
/* Note: check_signature only checks that the signature
is good. It does not fail if the key is revoked. */
- rc = check_signature (ctrl, sig, md);
+ rc = check_signature (ctrl, sig, md, NULL, NULL, NULL,
+ NULL, NULL);
cache_sig_result(sig,rc);
gcry_md_close (md);
break;
