From 0a7a099e7bbd65862a676b89f02c42554d8d3e2e Mon Sep 17 00:00:00 2001
From: Zach van Rijn <me@zv.io>
Date: Fri, 2 Sep 2022 11:41:05 -0500
Subject: user/gnupg: bump { 2.2.23 --> 2.2.39 }. disable compressed packets.

see also: https://dev.gnupg.org/D556
---
 user/gnupg/APKBUILD                             |  12 +-
 user/gnupg/fix-i18n.patch                       |  12 --
 user/gnupg/t5993-d556-disallow-compressed.patch | 171 ++++++++++++++++++++++++
 3 files changed, 178 insertions(+), 17 deletions(-)
 delete mode 100644 user/gnupg/fix-i18n.patch
 create mode 100644 user/gnupg/t5993-d556-disallow-compressed.patch

diff --git a/user/gnupg/APKBUILD b/user/gnupg/APKBUILD
index 71d07cc79..da778b135 100644
--- a/user/gnupg/APKBUILD
+++ b/user/gnupg/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=gnupg
-pkgver=2.2.23
+pkgver=2.2.39
 pkgrel=0
 pkgdesc="Complete and free implementation of the OpenPGP standard"
 url="https://www.gnupg.org/"
@@ -15,8 +15,10 @@ install="$pkgname.pre-install $pkgname.pre-upgrade"
 subpackages="$pkgname-doc $pkgname-lang"
 source="https://gnupg.org/ftp/gcrypt/$pkgname/$pkgname-$pkgver.tar.bz2
 	0001-Include-sys-select.h-for-FD_SETSIZE.patch
-	fix-i18n.patch
-	60-scdaemon.rules"
+	t5993-d556-disallow-compressed.patch
+
+	60-scdaemon.rules
+	"
 
 # secfixes:
 #   2.2.23-r0:
@@ -54,7 +56,7 @@ package() {
 	install -Dm644 "$srcdir"/60-scdaemon.rules "$pkgdir"/lib/udev/rules.d
 }
 
-sha512sums="736b39628f7e4adc650b3f9937c81f27e9ad41e77f5345dc54262c91c1cf7004243fa7f932313bcde955e0e9b3f1afc639bac18023ae878b1d26e3c5a3cabb90  gnupg-2.2.23.tar.bz2
+sha512sums="73f881c12c82010aeaada500517ff39ab22b27ff21b1248bc2228b60a2d75385a44a53c5cfadb8f6b84ef22ad9db0105096b6620fb689560809b324019713940  gnupg-2.2.39.tar.bz2
 c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7  0001-Include-sys-select.h-for-FD_SETSIZE.patch
-b19a44dacf061dd02b439ab8bd820e3c721aab77168f705f5ce65661f26527b03ea88eec16d78486a633c474120589ec8736692ebff57ab9b95f52f57190ba6b  fix-i18n.patch
+47c61274650cebe55ffbd42fd5346afd04c6681a09cd9f51ccb0d253780eb23fd9424afa109426da49d6ea83cd911f6bc50d1f72abd887473ab41c88c25189df  t5993-d556-disallow-compressed.patch
 4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402  60-scdaemon.rules"
diff --git a/user/gnupg/fix-i18n.patch b/user/gnupg/fix-i18n.patch
deleted file mode 100644
index 00d71dd5c..000000000
--- a/user/gnupg/fix-i18n.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- gnupg-2.1.7/common/i18n.c.orig	2015-08-31 20:40:18.752742866 +0300
-+++ gnupg-2.1.7/common/i18n.c	2015-08-31 20:40:41.806336224 +0300
-@@ -85,8 +85,8 @@
-   bindtextdomain (PACKAGE_GT, gnupg_localedir ());
-   textdomain (PACKAGE_GT);
- #else
--# ifdef ENABLE_NLS
-   setlocale (LC_ALL, "" );
-+# ifdef ENABLE_NLS
-   bindtextdomain (PACKAGE_GT, LOCALEDIR);
-   textdomain (PACKAGE_GT);
- # endif
diff --git a/user/gnupg/t5993-d556-disallow-compressed.patch b/user/gnupg/t5993-d556-disallow-compressed.patch
new file mode 100644
index 000000000..e11dc6484
--- /dev/null
+++ b/user/gnupg/t5993-d556-disallow-compressed.patch
@@ -0,0 +1,171 @@
+diff --git a/g10/import.c b/g10/import.c
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1042,22 +1042,8 @@
+       switch (pkt->pkttype)
+         {
+         case PKT_COMPRESSED:
+-          if (check_compress_algo (pkt->pkt.compressed->algorithm))
+-            {
+-              rc = GPG_ERR_COMPR_ALGO;
+-              goto ready;
+-            }
+-          else
+-            {
+-              compress_filter_context_t *cfx = xmalloc_clear( sizeof *cfx );
+-              pkt->pkt.compressed->buf = NULL;
+-              if (push_compress_filter2 (a, cfx,
+-                                         pkt->pkt.compressed->algorithm, 1))
+-                xfree (cfx); /* e.g. in case of compression_algo NONE.  */
+-            }
+-          free_packet (pkt, &parsectx);
+-          init_packet(pkt);
+-          break;
++          rc = GPG_ERR_UNEXPECTED;
++          goto ready;
+ 
+         case PKT_RING_TRUST:
+           /* Skip those packets unless we are in restore mode.  */
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -152,6 +152,7 @@
+ {
+   kbnode_t node;
+ 
++  log_assert(!(c->sigs_only && c->signed_data.used));
+   if (c->list) /* Add another packet. */
+     add_kbnode (c->list, new_kbnode (pkt));
+   else /* Insert the first one.  */
+@@ -1077,7 +1078,10 @@
+ 
+   /*printf("zip: compressed data packet\n");*/
+   if (c->sigs_only)
+-    rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
++    {
++      log_assert(!c->signed_data.used);
++      rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
++    }
+   else if( c->encrypt_only )
+     rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
+   else
+@@ -1596,6 +1600,7 @@
+   c->iobuf = a;
+   init_packet(pkt);
+   init_parse_packet (&parsectx, a);
++  parsectx.sigs_only = c->sigs_only && c->signed_data.used;
+   while ((rc=parse_packet (&parsectx, pkt)) != -1)
+     {
+       any_data = 1;
+@@ -1607,6 +1612,12 @@
+           if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
+               && opt.list_packets == 0)
+             break;
++
++          if (gpg_err_code (rc) == GPG_ERR_UNEXPECTED)
++            {
++              write_status_text( STATUS_UNEXPECTED, "0" );
++              goto leave;
++            }
+           continue;
+ 	}
+       newpkt = -1;
+@@ -1644,7 +1655,9 @@
+             case PKT_COMPRESSED:  rc = proc_compressed (c, pkt); break;
+             case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
+             case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
+-            default: newpkt = 0; break;
++            default:
++	      log_assert(!c->signed_data.used);
++	      newpkt = 0; break;
+ 	    }
+ 	}
+       else if (c->encrypt_only)
+diff --git a/g10/packet.h b/g10/packet.h
+--- a/g10/packet.h
++++ b/g10/packet.h
+@@ -657,6 +657,7 @@
+   int free_last_pkt; /* Indicates that LAST_PKT must be freed.  */
+   int skip_meta;     /* Skip ring trust packets.  */
+   unsigned int n_parsed_packets;	/* Number of parsed packets.  */
++  int sigs_only;     /* Only accept detached signature packets */
+ };
+ typedef struct parse_packet_ctx_s *parse_packet_ctx_t;
+ 
+@@ -667,6 +668,7 @@
+     (a)->free_last_pkt = 0;         \
+     (a)->skip_meta = 0;             \
+     (a)->n_parsed_packets = 0;      \
++    (a)->sigs_only = 0;             \
+   } while (0)
+ 
+ #define deinit_parse_packet(a) do { \
+diff --git a/g10/parse-packet.c b/g10/parse-packet.c
+--- a/g10/parse-packet.c
++++ b/g10/parse-packet.c
+@@ -738,6 +738,20 @@
+             case PKT_ENCRYPTED_MDC:
+             case PKT_ENCRYPTED_AEAD:
+             case PKT_COMPRESSED:
++              if (ctx->sigs_only)
++                {
++                  log_error (_("partial length packet of type %d in detached"
++                               " signature\n"), pkttype);
++                  rc = gpg_error (GPG_ERR_UNEXPECTED);
++                  goto leave;
++                }
++              if (onlykeypkts)
++                {
++                  log_error (_("partial length packet of type %d in keyring\n"),
++                             pkttype);
++                  rc = gpg_error (GPG_ERR_UNEXPECTED);
++                  goto leave;
++                }
+               iobuf_set_partial_body_length_mode (inp, c & 0xff);
+               pktlen = 0;	/* To indicate partial length.  */
+               partial = 1;
+@@ -775,6 +789,20 @@
+ 	      rc = gpg_error (GPG_ERR_INV_PACKET);
+ 	      goto leave;
+ 	    }
++	  else if (ctx->sigs_only)
++	    {
++	      log_error (_("indeterminate length packet of type %d in detached"
++                           " signature\n"), pkttype);
++	      rc = gpg_error (GPG_ERR_UNEXPECTED);
++	      goto leave;
++	    }
++	  else if (onlykeypkts)
++	    {
++	      log_error (_("indeterminate length packet of type %d in"
++                           " keyring\n"), pkttype);
++	      rc = gpg_error (GPG_ERR_UNEXPECTED);
++	      goto leave;
++	    }
+ 	}
+       else
+ 	{
+@@ -828,7 +856,21 @@
+       goto leave;
+     }
+ 
+-  if (with_uid && pkttype == PKT_USER_ID)
++  if (ctx->sigs_only)
++    switch (pkttype)
++      {
++      case PKT_SIGNATURE:
++      case PKT_MARKER:
++	break;
++      default:
++        log_error(_("Packet type %d not allowed in detached signature\n"),
++                  pkttype);
++	iobuf_skip_rest (inp, pktlen, partial);
++	*skip = 1;
++	rc = GPG_ERR_UNEXPECTED;
++	goto leave;
++      }
++  else if (with_uid && pkttype == PKT_USER_ID)
+     /* If ONLYKEYPKTS is set to 2, then we never skip user id packets,
+        even if DO_SKIP is set.  */
+     ;
+
-- 
cgit v1.2.3-60-g2f50