diff --git a/.gitignore b/.gitignore
index 7aa4a7e..ffb32bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/gnupg-2.3.1.tar.bz2
+SOURCES/gnupg-2.3.3.tar.bz2
diff --git a/.gnupg2.metadata b/.gnupg2.metadata
index 3f09c34..b761d69 100644
--- a/.gnupg2.metadata
+++ b/.gnupg2.metadata
@@ -1 +1 @@
-a8f66ba4f7dcb2e7322aef786f942ce5ccca6f14 SOURCES/gnupg-2.3.1.tar.bz2
+b19a407076424704f1b00e8265254de1b3061659 SOURCES/gnupg-2.3.3.tar.bz2
diff --git a/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch b/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
deleted file mode 100644
index eeed053..0000000
--- a/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
---- gnupg-2.2.16/sm/certlist.c.keyusage 2019-07-01 17:17:06.925254065 +0200
-+++ gnupg-2.2.16/sm/certlist.c 2019-07-01 17:24:15.665759322 +0200
-@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
-
- if (mode == 5)
- {
-- if (use != ~0
-- && (have_ocsp_signing
-- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
-- |KSBA_KEYUSAGE_CRL_SIGN))))
-+ if (have_ocsp_signing
-+ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
-+ |KSBA_KEYUSAGE_CRL_SIGN)))
- return 0;
- if (!silent)
- log_info (_("certificate should not have "
diff --git a/SOURCES/gnupg-2.2.20-file-is-digest.patch b/SOURCES/gnupg-2.2.20-file-is-digest.patch
index a85c9bd..c2bf7c3 100644
--- a/SOURCES/gnupg-2.2.20-file-is-digest.patch
+++ b/SOURCES/gnupg-2.2.20-file-is-digest.patch
@@ -64,17 +64,34 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
else
sig->version = 4; /* Required. */
-@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
- err = mk_sig_subpkt_key_block (ctrl, sig, pk);
- else
- err = 0;
+@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl,
+ if (gcry_md_copy (&md, hash))
+ BUG ();
+
+- build_sig_subpkt_from_sig (sig, pk);
+- mk_notation_policy_etc (ctrl, sig, NULL, pk);
+- if (opt.flags.include_key_block && IS_SIG (sig))
+- err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+- else
+- err = 0;
- hash_sigversion_to_magic (md, sig, extrahash);
- gcry_md_final (md);
++ if (!opt.file_is_digest)
++ {
++ build_sig_subpkt_from_sig (sig, pk);
++ mk_notation_policy_etc (ctrl, sig, NULL, pk);
++ if (opt.flags.include_key_block && IS_SIG (sig))
++ err = mk_sig_subpkt_key_block (ctrl, sig, pk);
++ else
++ err = 0;
+
-+ if (!opt.file_is_digest) {
-+ hash_sigversion_to_magic (md, sig, extrahash);
-+ gcry_md_final (md);
-+ }
++ hash_sigversion_to_magic (md, sig, extrahash);
++ gcry_md_final (md);
++ }
++ else if (sig->version >= 4)
++ {
++ log_bug("file-is-digest doesn't work with v4 sigs\n");
++ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -152,27 +169,27 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
+ d = -1;
+ for (fp = fname ; *fp; )
+ {
-+ c = *fp++;
-+ if (c >= '0' && c <= '9')
++ c = *fp++;
++ if (c >= '0' && c <= '9')
+ c -= '0';
-+ else if (c >= 'a' && c <= 'f')
++ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
-+ else if (c >= 'A' && c <= 'F')
++ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
-+ else
++ else
+ log_bug("filename is not hex\n");
-+ if (d >= 0)
++ if (d >= 0)
+ {
-+ *mdb++ = d << 4 | c;
-+ c = -1;
-+ if (--mdlen == 0)
++ *mdb++ = d << 4 | c;
++ c = -1;
++ if (--mdlen == 0)
+ {
-+ mdb = ts;
-+ if (*fp++ != '@')
-+ log_bug("missing time separator\n");
-+ }
-+ }
-+ d = c;
++ mdb = ts;
++ if (*fp++ != '@')
++ log_bug("missing time separator\n");
++ }
++ }
++ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
diff --git a/SOURCES/gnupg-2.2.21-coverity.patch b/SOURCES/gnupg-2.2.21-coverity.patch
index edd5e67..e35b0d3 100644
--- a/SOURCES/gnupg-2.2.21-coverity.patch
+++ b/SOURCES/gnupg-2.2.21-coverity.patch
@@ -40,108 +40,6 @@ Signed-off-by: Jakub Jelen <jjelen@redhat.com>
agent/protect.c | 5 ++++-
6 files changed, 27 insertions(+), 8 deletions(-)
-diff --git a/agent/command.c b/agent/command.c
-index 93cd281e7..b9a1ed038 100644
---- a/agent/command.c
-+++ b/agent/command.c
-@@ -1021,7 +1021,7 @@ cmd_genkey (assuan_context_t ctx, char *line)
- if (!rc)
- rc = assuan_inquire (ctx, "KEYPARAM", &value, &valuelen, MAXLEN_KEYPARAM);
- if (rc)
-- return rc;
-+ goto leave;
-
- init_membuf (&outbuf, 512);
-
-diff --git a/agent/cvt-openpgp.c b/agent/cvt-openpgp.c
-index 3da553f95..53c88154b 100644
---- a/agent/cvt-openpgp.c
-+++ b/agent/cvt-openpgp.c
-@@ -964,7 +964,10 @@ convert_from_openpgp_main (ctrl_t ctrl, gcry_sexp_t s_pgp, int dontcare_exist,
-
- pi = xtrycalloc_secure (1, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1);
- if (!pi)
-- return gpg_error_from_syserror ();
-+ {
-+ err = gpg_error_from_syserror ();
-+ goto leave;
-+ }
- pi->max_length = MAX_PASSPHRASE_LEN + 1;
- pi->min_digits = 0; /* We want a real passphrase. */
- pi->max_digits = 16;
-diff --git a/agent/genkey.c b/agent/genkey.c
-index 9b47f0fac..c7cfc6910 100644
---- a/agent/genkey.c
-+++ b/agent/genkey.c
-@@ -363,7 +363,7 @@ agent_ask_new_passphrase (ctrl_t ctrl, const char *prompt,
- if (!pi2)
- {
- err = gpg_error_from_syserror ();
-- xfree (pi2);
-+ xfree (pi);
- return err;
- }
- pi->max_length = MAX_PASSPHRASE_LEN + 1;
-@@ -465,7 +465,10 @@ agent_genkey (ctrl_t ctrl, const char *cache_nonce, time_t timestamp,
- "protect your new key"),
- &passphrase_buffer);
- if (rc)
-- return rc;
-+ {
-+ gcry_sexp_release (s_keyparam);
-+ return rc;
-+ }
- passphrase = passphrase_buffer;
- }
-
-diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
-index 1285db995..8f504191b 100644
---- a/agent/gpg-agent.c
-+++ b/agent/gpg-agent.c
-@@ -3214,11 +3214,17 @@ check_own_socket (void)
-
- sockname = make_filename_try (gnupg_socketdir (), GPG_AGENT_SOCK_NAME, NULL);
- if (!sockname)
-- return; /* Out of memory. */
-+ {
-+ xfree (sockname);
-+ return; /* Out of memory. */
-+ }
-
- err = npth_attr_init (&tattr);
- if (err)
-- return;
-+ {
-+ xfree (sockname);
-+ return;
-+ }
- npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
- err = npth_create (&thread, &tattr, check_own_socket_thread, sockname);
- if (err)
-diff --git a/agent/protect-tool.c b/agent/protect-tool.c
-index 1fcbd119f..bb17033a8 100644
---- a/agent/protect-tool.c
-+++ b/agent/protect-tool.c
-@@ -319,6 +319,7 @@ read_key (const char *fname)
- if (buflen >= 4 && !memcmp (buf, "Key:", 4))
- {
- log_error ("Extended key format is not supported by this tool\n");
-+ xfree (buf);
- return NULL;
- }
- key = make_canonical (fname, buf, buflen);
-@@ -793,7 +794,10 @@ agent_askpin (ctrl_t ctrl,
- passphrase = get_passphrase (0);
- size = strlen (passphrase);
- if (size >= pininfo->max_length)
-- return gpg_error (GPG_ERR_TOO_LARGE);
-+ {
-+ xfree (passphrase);
-+ return gpg_error (GPG_ERR_TOO_LARGE);
-+ }
-
- memcpy (&pininfo->pin, passphrase, size);
- xfree (passphrase);
diff --git a/agent/protect.c b/agent/protect.c
index 76ead444b..50b10eb26 100644
--- a/agent/protect.c
@@ -162,109 +60,6 @@ index 76ead444b..50b10eb26 100644
2.30.2
-From 93dc0474ea35c0f8f93e0c5eee14cf0157b0d896 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Wed, 7 Apr 2021 18:54:02 +0200
-Subject: [PATCH GnuPG 02/19] dirmgr: clean up memory on error code paths
-
-* dirmgr/crlcache.c (finish_sig_check): goto leave instead of return
-* dirmgr/http.c (send_request): free authstr and proxy_authstr
-* dirmgr/ldap.c (start_cert_fetch_ldap): free proxy
-* dirmgr/ocsp.c (check_signature): release s_hash
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- dirmngr/crlcache.c | 9 ++++++---
- dirmngr/http.c | 6 +++++-
- dirmngr/ldap.c | 6 ++++--
- dirmngr/ocsp.c | 1 +
- 4 files changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
-index 9d18b721f..d508e173f 100644
---- a/dirmngr/crlcache.c
-+++ b/dirmngr/crlcache.c
-@@ -1725,7 +1725,8 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
- {
- log_error ("hash algo mismatch: %d announced but %d used\n",
- algo, hashalgo);
-- return gpg_error (GPG_ERR_INV_CRL);
-+ err = gpg_error (GPG_ERR_INV_CRL);
-+ goto leave;
- }
- /* Add some restrictions; see ../sm/certcheck.c for details. */
- switch (algo)
-@@ -1741,14 +1742,16 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
- default:
- log_error ("PSS hash algorithm '%s' rejected\n",
- gcry_md_algo_name (algo));
-- return gpg_error (GPG_ERR_DIGEST_ALGO);
-+ err = gpg_error (GPG_ERR_DIGEST_ALGO);
-+ goto leave;
- }
-
- if (gcry_md_get_algo_dlen (algo) != saltlen)
- {
- log_error ("PSS hash algorithm '%s' rejected due to salt length %u\n",
- gcry_md_algo_name (algo), saltlen);
-- return gpg_error (GPG_ERR_DIGEST_ALGO);
-+ err = gpg_error (GPG_ERR_DIGEST_ALGO);
-+ goto leave;
- }
- }
-
-diff --git a/dirmngr/http.c b/dirmngr/http.c
-index f7f65303b..74ce5f465 100644
---- a/dirmngr/http.c
-+++ b/dirmngr/http.c
-@@ -2208,7 +2208,11 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
-
- p = build_rel_path (hd->uri);
- if (!p)
-- return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
-+ {
-+ xfree (authstr);
-+ xfree (proxy_authstr);
-+ return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
-+ }
-
- if (http_proxy && *http_proxy)
- {
-diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
-index ffe54bade..96abc89d0 100644
---- a/dirmngr/ldap.c
-+++ b/dirmngr/ldap.c
-@@ -563,8 +563,10 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
- use_ldaps = server->use_ldaps;
- }
- else /* Use a default server. */
-- return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
--
-+ {
-+ xfree (proxy);
-+ return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
-+ }
-
- if (!base)
- base = "";
-diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
-index 6ed180955..6864f9854 100644
---- a/dirmngr/ocsp.c
-+++ b/dirmngr/ocsp.c
-@@ -534,6 +534,7 @@ check_signature (ctrl_t ctrl,
- err = ksba_ocsp_get_responder_id (ocsp, &name, &keyid);
- if (err)
- {
-+ gcry_sexp_release (s_hash);
- log_error (_("error getting responder ID: %s\n"),
- gcry_strerror (err));
- return err;
---
-2.30.2
-
-
From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 9 Apr 2021 16:13:07 +0200
@@ -316,211 +111,6 @@ index 36f096f06..c7df8380d 100644
tty_printf ("\n");
tty_printf ("1 - change PIN\n"
-@@ -140,7 +140,10 @@ change_pin (int unblock_v2, int allow_admin)
- answer = cpr_get("cardutil.change_pin.menu",_("Your selection? "));
- cpr_kill_prompt();
- if (strlen (answer) != 1)
-- continue;
-+ {
-+ xfree (answer);
-+ continue;
-+ }
-
- if (*answer == '1')
- {
-@@ -185,8 +188,10 @@ change_pin (int unblock_v2, int allow_admin)
- }
- else if (*answer == 'q' || *answer == 'Q')
- {
-+ xfree (answer);
- break;
- }
-+ xfree (answer);
- }
-
- agent_release_card_info (&info);
-@@ -1450,7 +1455,10 @@ ask_card_keyattr (int keyno, const struct key_attr *current)
- algo = *answer? atoi (answer) : 0;
-
- if (!*answer || algo == 1 || algo == 2)
-- break;
-+ {
-+ xfree (answer);
-+ break;
-+ }
- else
- tty_printf (_("Invalid selection.\n"));
- }
-diff --git a/g10/cpr.c b/g10/cpr.c
-index 5a39913c5..002656b82 100644
---- a/g10/cpr.c
-+++ b/g10/cpr.c
-@@ -527,7 +527,11 @@ do_get_from_fd ( const char *keyword, int hidden, int getbool )
- write_status (STATUS_GOT_IT);
-
- if (getbool) /* Fixme: is this correct??? */
-- return (string[0] == 'Y' || string[0] == 'y') ? "" : NULL;
-+ {
-+ char *rv = (string[0] == 'Y' || string[0] == 'y') ? "" : NULL;
-+ xfree (string);
-+ return rv;
-+ }
-
- return string;
- }
-diff --git a/g10/gpg.c b/g10/gpg.c
-index f5623be76..186845cea 100644
---- a/g10/gpg.c
-+++ b/g10/gpg.c
-@@ -1601,6 +1601,7 @@ check_permissions (const char *path, int item)
- if (gnupg_stat (dir,&dirbuf) || !S_ISDIR (dirbuf.st_mode))
- {
- /* Weird error */
-+ xfree(dir);
- ret=1;
- goto end;
- }
-diff --git a/g10/import.c b/g10/import.c
-index 821ddf0d4..951c33d81 100644
---- a/g10/import.c
-+++ b/g10/import.c
-@@ -4524,7 +4524,10 @@ append_new_uid (unsigned int options,
- err = insert_key_origin_uid (n->pkt->pkt.user_id,
- curtime, origin, url);
- if (err)
-- return err;
-+ {
-+ release_kbnode (n);
-+ return err;
-+ }
- }
-
- if (n_where)
-diff --git a/g10/keyedit.c b/g10/keyedit.c
-index 531d3e128..902741b5f 100644
---- a/g10/keyedit.c
-+++ b/g10/keyedit.c
-@@ -5307,7 +5307,10 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock)
- }
-
- if (ascii_strcasecmp (answer, "none") == 0)
-- uri = NULL;
-+ {
-+ xfree (answer);
-+ uri = NULL;
-+ }
- else
- {
- struct keyserver_spec *keyserver = NULL;
-@@ -5379,12 +5382,14 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock)
- uri
- ? _("Are you sure you want to replace it? (y/N) ")
- : _("Are you sure you want to delete it? (y/N) ")))
-+ xfree (user);
- continue;
- }
- else if (uri == NULL)
- {
- /* There is no current keyserver URL, so there
- is no point in trying to un-set it. */
-+ xfree (user);
- continue;
- }
-
-@@ -5397,6 +5402,7 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock)
- log_error ("update_keysig_packet failed: %s\n",
- gpg_strerror (rc));
- xfree (uri);
-+ xfree (user);
- return 0;
- }
- /* replace the packet */
-diff --git a/g10/keygen.c b/g10/keygen.c
-index 5d85c05d4..f1e4d3638 100644
---- a/g10/keygen.c
-+++ b/g10/keygen.c
-@@ -237,12 +237,13 @@ print_status_key_not_created (const char *handle)
- static gpg_error_t
- write_uid (kbnode_t root, const char *s)
- {
-- PACKET *pkt = xmalloc_clear (sizeof *pkt);
-+ PACKET *pkt = NULL;
- size_t n = strlen (s);
-
- if (n > MAX_UID_PACKET_LENGTH - 10)
- return gpg_error (GPG_ERR_INV_USER_ID);
-
-+ pkt = xmalloc_clear (sizeof *pkt);
- pkt->pkttype = PKT_USER_ID;
- pkt->pkt.user_id = xmalloc_clear (sizeof *pkt->pkt.user_id + n);
- pkt->pkt.user_id->len = n;
-@@ -2860,7 +2861,10 @@ ask_expire_interval(int object,const char *def_expire)
- xfree(prompt);
-
- if(*answer=='\0')
-- answer=xstrdup(def_expire);
-+ {
-+ xfree (answer);
-+ answer = xstrdup (def_expire);
-+ }
- }
- cpr_kill_prompt();
- trim_spaces(answer);
-@@ -5238,12 +5242,15 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
- epoch2isotime (timestamp, (time_t)sk->timestamp);
- err = hexkeygrip_from_pk (sk, &hexgrip);
- if (err)
-- return err;
-+ goto leave;
-
- memset(&info, 0, sizeof (info));
- rc = agent_scd_getattr ("SERIALNO", &info);
- if (rc)
-- return (gpg_error_t)rc;
-+ {
-+ err = (gpg_error_t)rc;
-+ goto leave;
-+ }
-
- rc = agent_keytocard (hexgrip, 2, 1, info.serialno, timestamp);
- xfree (info.serialno);
-diff --git a/g10/keyserver.c b/g10/keyserver.c
-index c56021691..a20ebf24e 100644
---- a/g10/keyserver.c
-+++ b/g10/keyserver.c
-@@ -284,7 +284,7 @@ parse_keyserver_uri (const char *string,int require_scheme)
- if(*idx=='\0' || *idx=='[')
- {
- if(require_scheme)
-- return NULL;
-+ goto fail;
-
- /* Assume HKP if there is no scheme */
- assume_hkp=1;
-diff --git a/g10/revoke.c b/g10/revoke.c
-index c0a003b6f..d6cbf93cb 100644
---- a/g10/revoke.c
-+++ b/g10/revoke.c
-@@ -435,6 +435,7 @@ gen_desig_revoke (ctrl_t ctrl, const char *uname, strlist_t locusr)
- iobuf_close(out);
- release_revocation_reason_info( reason );
- release_armor_context (afx);
-+ keydb_release (kdbhd);
- return rc;
- }
-
-@@ -804,7 +805,10 @@ ask_revocation_reason( int key_rev, int cert_rev, int hint )
- trim_spaces( answer );
- cpr_kill_prompt();
- if( *answer == 'q' || *answer == 'Q')
-- return NULL; /* cancel */
-+ {
-+ xfree (answer);
-+ return NULL; /* cancel */
-+ }
- if( hint && !*answer )
- n = hint;
- else if(!digitp( answer ) )
diff --git a/g10/tofu.c b/g10/tofu.c
index f49083844..83786a08d 100644
--- a/g10/tofu.c
@@ -534,153 +124,9 @@ index f49083844..83786a08d 100644
rc = gpg_error (GPG_ERR_GENERAL);
break;
}
-@@ -1972,6 +1974,7 @@ ask_about_binding (ctrl_t ctrl,
- else if (!response[0])
- /* Default to unknown. Don't save it. */
- {
-+ xfree (response);
- tty_printf (_("Defaulting to unknown.\n"));
- *policy = TOFU_POLICY_UNKNOWN;
- break;
-@@ -1983,6 +1986,7 @@ ask_about_binding (ctrl_t ctrl,
- if (choice)
- {
- int c = ((size_t) choice - (size_t) choices) / 2;
-+ xfree (response);
-
- switch (c)
- {
-diff --git a/g10/trustdb.c b/g10/trustdb.c
-index 43bce0769..9ef4644bf 100644
---- a/g10/trustdb.c
-+++ b/g10/trustdb.c
-@@ -1430,6 +1430,7 @@ ask_ownertrust (ctrl_t ctrl, u32 *kid, int minimum)
- {
- log_error (_("public key %s not found: %s\n"),
- keystr(kid), gpg_strerror (rc) );
-+ free_public_key (pk);
- return TRUST_UNKNOWN;
- }
-
--
2.30.2
-
-From 0dabf0cffb1d67812c50a4f727398b59f93270a6 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Apr 2021 14:05:17 +0200
-Subject: [PATCH GnuPG 04/19] sm: Avoid memory leaks and double double-free
-
-* sm/certcheck.c (extract_pss_params): Avoid double free
-* sm/decrypt.c (gpgsm_decrypt): goto leave instead of return
-* sm/encrypt.c (encrypt_dek): release s_pkey
-* sm/server.c (cmd_export): free list
- (do_listkeys): free lists
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- sm/certcheck.c | 1 -
- sm/decrypt.c | 5 ++++-
- sm/encrypt.c | 1 +
- sm/server.c | 24 +++++++++++++++++++-----
- 4 files changed, 24 insertions(+), 7 deletions(-)
-
-diff --git a/sm/certcheck.c b/sm/certcheck.c
-index fca45759b..f4db858c3 100644
---- a/sm/certcheck.c
-+++ b/sm/certcheck.c
-@@ -294,7 +294,6 @@ extract_pss_params (gcry_sexp_t s_sig, int *r_algo, unsigned int *r_saltlen)
- if (*r_saltlen < 20)
- {
- log_error ("length of PSS salt too short\n");
-- gcry_sexp_release (s_sig);
- return gpg_error (GPG_ERR_DIGEST_ALGO);
- }
- if (!*r_algo)
-diff --git a/sm/decrypt.c b/sm/decrypt.c
-index aa91b370d..f7f91c466 100644
---- a/sm/decrypt.c
-+++ b/sm/decrypt.c
-@@ -755,7 +755,10 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
- dfparm.mode = mode;
- dfparm.blklen = gcry_cipher_get_algo_blklen (algo);
- if (dfparm.blklen > sizeof (dfparm.helpblock))
-- return gpg_error (GPG_ERR_BUG);
-+ {
-+ rc = gpg_error (GPG_ERR_BUG);
-+ goto leave;
-+ }
-
- rc = ksba_cms_get_content_enc_iv (cms,
- dfparm.iv,
-diff --git a/sm/encrypt.c b/sm/encrypt.c
-index 92ca341f5..ba2428e9a 100644
---- a/sm/encrypt.c
-+++ b/sm/encrypt.c
-@@ -473,6 +473,7 @@ encrypt_dek (const DEK dek, ksba_cert_t cert, int pk_algo,
- rc = encode_session_key (dek, &s_data);
- if (rc)
- {
-+ gcry_sexp_release (s_pkey);
- log_error ("encode_session_key failed: %s\n", gpg_strerror (rc));
- return rc;
- }
-diff --git a/sm/server.c b/sm/server.c
-index 874f0db89..871cc4b31 100644
---- a/sm/server.c
-+++ b/sm/server.c
-@@ -724,8 +724,13 @@ cmd_export (assuan_context_t ctx, char *line)
-
- if (opt_secret)
- {
-- if (!list || !*list->d)
-+ if (!list)
- return set_error (GPG_ERR_NO_DATA, "No key given");
-+ if (!*list->d)
-+ {
-+ free_strlist (list);
-+ return set_error (GPG_ERR_NO_DATA, "No key given");
-+ }
- if (list->next)
- return set_error (GPG_ERR_TOO_MANY, "Only one key allowed");
- }
-@@ -1014,17 +1019,26 @@ do_listkeys (assuan_context_t ctx, char *line, int mode)
- int outfd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
-
- if ( outfd == -1 )
-- return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);
-+ {
-+ free_strlist (list);
-+ return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);
-+ }
- fp = es_fdopen_nc (outfd, "w");
- if (!fp)
-- return set_error (gpg_err_code_from_syserror (), "es_fdopen() failed");
-+ {
-+ free_strlist (list);
-+ return set_error (gpg_err_code_from_syserror (), "es_fdopen() failed");
-+ }
- }
- else
- {
- fp = es_fopencookie (ctx, "w", data_line_cookie_functions);
- if (!fp)
-- return set_error (GPG_ERR_ASS_GENERAL,
-- "error setting up a data stream");
-+ {
-+ free_strlist (list);
-+ return set_error (GPG_ERR_ASS_GENERAL,
-+ "error setting up a data stream");
-+ }
- }
-
- ctrl->with_colons = 1;
---
-2.30.2
-
-
From febbe77870b51e4e1158ae9efeaa0f3aad69a495 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 12 Apr 2021 14:48:59 +0200
@@ -711,531 +157,6 @@ index cc7bf8ef5..93458068c 100644
2.30.2
-From 1cd048ba37786f46aabf3efdc3c245b75244dc26 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Apr 2021 19:19:59 +0200
-Subject: [PATCH GnuPG 06/19] agent: Fix memory leaks
-
-* agent/call-daemon.c (daemon_start): free wctp
-* agent/call-scd.c (agent_card_pksign): return error instead of noop
- (card_keyinfo_cb): free keyinfo
-* agent/protect.c (agent_get_shadow_info_type): allocate only as a last
- action
- (agent_is_tpm2_key): Free buf
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- agent/call-daemon.c | 2 ++
- agent/call-scd.c | 4 +++-
- agent/protect.c | 17 +++++++++--------
- 3 files changed, 14 insertions(+), 9 deletions(-)
-
-diff --git a/agent/call-daemon.c b/agent/call-daemon.c
-index 144400875..3bf6bb793 100644
---- a/agent/call-daemon.c
-+++ b/agent/call-daemon.c
-@@ -512,6 +512,8 @@ daemon_start (enum daemon_type type, ctrl_t ctrl)
- log_error ("error spawning wait_child_thread: %s\n", strerror (err));
- npth_attr_destroy (&tattr);
- }
-+ else
-+ xfree (wctp);
- }
-
- leave:
-diff --git a/agent/call-scd.c b/agent/call-scd.c
-index 3ede33c1d..f060541a3 100644
---- a/agent/call-scd.c
-+++ b/agent/call-scd.c
-@@ -487,7 +487,7 @@ agent_card_pksign (ctrl_t ctrl,
- /* FIXME: In the mdalgo case (INDATA,INDATALEN) might be long and
- * thus we can't convey it on a single Assuan line. */
- if (!mdalgo)
-- gpg_error (GPG_ERR_NOT_IMPLEMENTED);
-+ return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
-
- if (indatalen*2 + 50 > DIM(line))
- return unlock_scd (ctrl, gpg_error (GPG_ERR_GENERAL));
-@@ -941,6 +941,7 @@ card_keyinfo_cb (void *opaque, const char *line)
- if (!keyinfo)
- {
- alloc_error:
-+ xfree (keyinfo);
- if (!parm->error)
- parm->error = gpg_error_from_syserror ();
- return 0;
-@@ -952,6 +953,7 @@ card_keyinfo_cb (void *opaque, const char *line)
- if (n != 40)
- {
- parm_error:
-+ xfree (keyinfo);
- if (!parm->error)
- parm->error = gpg_error (GPG_ERR_ASS_PARAMETER);
- return 0;
-diff --git a/agent/protect.c b/agent/protect.c
-index 50b10eb26..72169429d 100644
---- a/agent/protect.c
-+++ b/agent/protect.c
-@@ -1663,13 +1663,6 @@ agent_get_shadow_info_type (const unsigned char *shadowkey,
- n = snext (&s);
- if (!n)
- return gpg_error (GPG_ERR_INV_SEXP);
-- if (shadow_type) {
-- char *buf = xtrymalloc(n+1);
-- memcpy(buf, s, n);
-- buf[n] = '\0';
-- *shadow_type = buf;
-- }
--
- if (smatch (&s, n, "t1-v1") || smatch(&s, n, "tpm2-v1"))
- {
- if (*s != '(')
-@@ -1679,6 +1672,14 @@ agent_get_shadow_info_type (const unsigned char *shadowkey,
- }
- else
- return gpg_error (GPG_ERR_UNSUPPORTED_PROTOCOL);
-+
-+ if (shadow_type) {
-+ char *buf = xtrymalloc(n+1);
-+ memcpy(buf, s, n);
-+ buf[n] = '\0';
-+ *shadow_type = buf;
-+ }
-+
- return 0;
- }
-
-@@ -1704,9 +1705,9 @@ agent_is_tpm2_key (gcry_sexp_t s_skey)
- return 0;
-
- err = agent_get_shadow_info_type (buf, NULL, &type);
-+ xfree (buf);
- if (err)
- return 0;
-- xfree (buf);
-
- err = strcmp (type, "tpm2-v1") == 0;
- xfree (type);
---
-2.30.2
-
-
-From 9d206e1dfabb965e97723dd799d0f7b3be04116d Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Apr 2021 19:29:21 +0200
-Subject: [PATCH GnuPG 07/19] common: Avoid double-free
-
-* common/name-value.c (do_nvc_parse): reset to null after ownership
- change
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- common/name-value.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/common/name-value.c b/common/name-value.c
-index 0bd205b7d..39c3244e9 100644
---- a/common/name-value.c
-+++ b/common/name-value.c
-@@ -724,6 +724,7 @@ do_nvc_parse (nvc_t *result, int *errlinep, estream_t stream,
- if (raw_value)
- {
- err = _nvc_add (*result, name, NULL, raw_value, 1);
-+ name = NULL;
- if (err)
- goto leave;
- }
---
-2.30.2
-
-
-From 33317744850d10a03ad4215a329a7d4bc3837234 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Apr 2021 19:48:31 +0200
-Subject: [PATCH GnuPG 08/19] dirmgr: Avoid double free
-
-* dirmgr/http.c (http_prepare_redirect): Avoid double free
-* dirmgr/ocsp.c (check_signature): Initialize pointer
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- dirmngr/http.c | 2 --
- dirmngr/ocsp.c | 2 +-
- 2 files changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/dirmngr/http.c b/dirmngr/http.c
-index 74ce5f465..c662b1b95 100644
---- a/dirmngr/http.c
-+++ b/dirmngr/http.c
-@@ -3681,7 +3681,6 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
- if (!newurl)
- {
- err = gpg_error_from_syserror ();
-- http_release_parsed_uri (locuri);
- return err;
- }
- }
-@@ -3700,7 +3699,6 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
- if (!newurl)
- {
- err = gpg_error_from_syserror ();
-- http_release_parsed_uri (locuri);
- return err;
- }
- }
-diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
-index 6864f9854..6ec760d81 100644
---- a/dirmngr/ocsp.c
-+++ b/dirmngr/ocsp.c
-@@ -450,7 +450,7 @@ check_signature (ctrl_t ctrl,
- {
- gpg_error_t err;
- int algo, cert_idx;
-- gcry_sexp_t s_hash;
-+ gcry_sexp_t s_hash = NULL;
- ksba_cert_t cert;
- const char *s;
-
---
-2.30.2
-
-
-From c87d40395b8f24426645cc491dca5cf910755395 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Apr 2021 20:05:48 +0200
-Subject: [PATCH GnuPG 09/19] g10: Avoid memory leaks
-
-* g10/call-agent.c (card_keyinfo_cb): free keyinfo
-* g10/keyedit.c (menu_set_keyserver_url): properly enclose the block
-* g10/keygen.c (gen_card_key): free pk and pkt
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- g10/call-agent.c | 2 ++
- g10/keyedit.c | 8 +++++---
- g10/keygen.c | 12 ++++++++++--
- 3 files changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/g10/call-agent.c b/g10/call-agent.c
-index 83355454a..c9cbcd4e5 100644
---- a/g10/call-agent.c
-+++ b/g10/call-agent.c
-@@ -1729,6 +1729,7 @@ card_keyinfo_cb (void *opaque, const char *line)
- if (!keyinfo)
- {
- alloc_error:
-+ xfree (keyinfo);
- if (!parm->error)
- parm->error = gpg_error_from_syserror ();
- return 0;
-@@ -1740,6 +1741,7 @@ card_keyinfo_cb (void *opaque, const char *line)
- if (n != 40)
- {
- parm_error:
-+ xfree (keyinfo);
- if (!parm->error)
- parm->error = gpg_error (GPG_ERR_ASS_PARAMETER);
- return 0;
-diff --git a/g10/keyedit.c b/g10/keyedit.c
-index 902741b5f..91731a271 100644
---- a/g10/keyedit.c
-+++ b/g10/keyedit.c
-@@ -5382,14 +5382,16 @@ menu_set_keyserver_url (ctrl_t ctrl, const char *url, kbnode_t pub_keyblock)
- uri
- ? _("Are you sure you want to replace it? (y/N) ")
- : _("Are you sure you want to delete it? (y/N) ")))
-- xfree (user);
-- continue;
-+ {
-+ xfree (user);
-+ continue;
-+ }
- }
- else if (uri == NULL)
- {
- /* There is no current keyserver URL, so there
- is no point in trying to un-set it. */
-- xfree (user);
-+ xfree (user);
- continue;
- }
-
-diff --git a/g10/keygen.c b/g10/keygen.c
-index f1e4d3638..82f6bb880 100644
---- a/g10/keygen.c
-+++ b/g10/keygen.c
-@@ -6140,12 +6140,20 @@ gen_card_key (int keyno, int algo, int is_primary, kbnode_t pub_root,
- the self-signatures. */
- err = agent_readkey (NULL, 1, keyid, &public);
- if (err)
-- return err;
-+ {
-+ xfree (pkt);
-+ xfree (pk);
-+ return err;
-+ }
- err = gcry_sexp_sscan (&s_key, NULL, public,
- gcry_sexp_canon_len (public, 0, NULL, NULL));
- xfree (public);
- if (err)
-- return err;
-+ {
-+ xfree (pkt);
-+ xfree (pk);
-+ return err;
-+ }
-
- if (algo == PUBKEY_ALGO_RSA)
- err = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
---
-2.30.2
-
-
-From bb6e1e13d9440816c60013a50d426b7ccd6c0288 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 12 Apr 2021 21:59:17 +0200
-Subject: [PATCH GnuPG 10/19] kbx: Avoid uninitialized read
-
-* kbx/kbx-client-util.c (datastream_thread): Initialize pointer
-* kbx/keybox-dump.c (_keybox_dump_cut_records): free blob
-* kbx/kbxserver.c (kbxd_start_command_handler): do not free passed ctrl
-* kbx/keyboxd.c (check_own_socket): free sockname
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- kbx/kbx-client-util.c | 2 +-
- kbx/kbxserver.c | 1 -
- kbx/keybox-dump.c | 4 +++-
- kbx/keyboxd.c | 5 ++++-
- 4 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/kbx/kbx-client-util.c b/kbx/kbx-client-util.c
-index bd71cf2ba..07370319b 100644
---- a/kbx/kbx-client-util.c
-+++ b/kbx/kbx-client-util.c
-@@ -176,7 +176,7 @@ datastream_thread (void *arg)
- int rc;
- unsigned char lenbuf[4];
- size_t nread, datalen;
-- char *data, *tmpdata;
-+ char *data = NULL, *tmpdata;
-
- /* log_debug ("%s: started\n", __func__); */
- while (kcd->fp)
-diff --git a/kbx/kbxserver.c b/kbx/kbxserver.c
-index 55b478586..0b76cde31 100644
---- a/kbx/kbxserver.c
-+++ b/kbx/kbxserver.c
-@@ -844,7 +844,6 @@ kbxd_start_command_handler (ctrl_t ctrl, gnupg_fd_t fd, unsigned int session_id)
- {
- log_error (_("can't allocate control structure: %s\n"),
- gpg_strerror (gpg_error_from_syserror ()));
-- xfree (ctrl);
- return;
- }
- ctrl->server_local->client_pid = ASSUAN_INVALID_PID;
-diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c
-index 3e66b72a1..38608ceaa 100644
---- a/kbx/keybox-dump.c
-+++ b/kbx/keybox-dump.c
-@@ -881,7 +881,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from,
- unsigned long to, FILE *outfp)
- {
- estream_t fp;
-- KEYBOXBLOB blob;
-+ KEYBOXBLOB blob = NULL;
- int rc;
- unsigned long recno = 0;
-
-@@ -902,6 +902,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from,
- }
- }
- _keybox_release_blob (blob);
-+ blob = NULL;
- recno++;
- }
- if (rc == -1)
-@@ -909,6 +910,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from,
- if (rc)
- fprintf (stderr, "error reading '%s': %s\n", filename, gpg_strerror (rc));
- leave:
-+ _keybox_release_blob (blob);
- if (fp != es_stdin)
- es_fclose (fp);
- return rc;
-diff --git a/kbx/keyboxd.c b/kbx/keyboxd.c
-index 76a0694a4..3f759e6f7 100644
---- a/kbx/keyboxd.c
-+++ b/kbx/keyboxd.c
-@@ -1795,7 +1795,10 @@ check_own_socket (void)
-
- err = npth_attr_init (&tattr);
- if (err)
-- return;
-+ {
-+ xfree (sockname);
-+ return;
-+ }
- npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
- err = npth_create (&thread, &tattr, check_own_socket_thread, sockname);
- if (err)
---
-2.30.2
-
-
-From 7f54495586491b18b5e1088ecf5538c0343f90e7 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 13 Apr 2021 14:02:18 +0200
-Subject: [PATCH GnuPG 11/19] scd: avoid memory leaks
-
-* scd/app-p15.c (send_certinfo): free labelbuf
- (do_sign): goto leave instead of return
-* scd/app-piv.c (do_sign): goto leave instead of return, fix typo in
- variable name, avoid using uninitialized variables
-* scd/command.c (cmd_genkey): goto leave instead of return
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- scd/app-p15.c | 5 +++--
- scd/app-piv.c | 6 +++---
- scd/command.c | 10 ++++++++--
- 3 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/scd/app-p15.c b/scd/app-p15.c
-index 90f6b4c99..9eeeed960 100644
---- a/scd/app-p15.c
-+++ b/scd/app-p15.c
-@@ -3851,6 +3851,7 @@ send_certinfo (app_t app, ctrl_t ctrl, const char *certtype,
- labelbuf, strlen (labelbuf),
- NULL, (size_t)0);
- xfree (buf);
-+ xfree (labelbuf);
- }
- return 0;
- }
-@@ -5461,7 +5462,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
- if (err)
- {
- log_error ("p15: MSE failed: %s\n", gpg_strerror (err));
-- return err;
-+ goto leave;
- }
-
- /* Now that we have all the information available run the actual PIN
-@@ -5500,7 +5501,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
- if (err)
- {
- log_error ("p15: MSE failed: %s\n", gpg_strerror (err));
-- return err;
-+ goto leave;
- }
-
- if (prkdf->keyalgo == GCRY_PK_RSA && prkdf->keynbits > 2048)
-diff --git a/scd/app-piv.c b/scd/app-piv.c
-index ead1b1974..143cc047a 100644
---- a/scd/app-piv.c
-+++ b/scd/app-piv.c
-@@ -2175,7 +2175,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
- unsigned char oidbuf[64];
- size_t oidbuflen;
- unsigned char *outdata = NULL;
-- size_t outdatalen;
-+ size_t outdatalen = 0;
- const unsigned char *s;
- size_t n;
- int keyref, mechanism;
-@@ -2357,7 +2357,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
- /* Now verify the Application PIN. */
- err = verify_chv (app, ctrl, 0x80, force_verify, pincb, pincb_arg);
- if (err)
-- return err;
-+ goto leave;
-
- /* Build the Dynamic Authentication Template. */
- err = concat_tlv_list (0, &apdudata, &apdudatalen,
-@@ -2403,7 +2403,7 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
- goto bad_der;
- log_assert (n >= (rval-s)+rlen);
- sval = find_tlv (rval+rlen, n-((rval-s)+rlen), 0x02, &slen);
-- if (!rval)
-+ if (!sval)
- goto bad_der;
- rlenx = slenx = 0;
- if (rlen > slen)
-diff --git a/scd/command.c b/scd/command.c
-index 11d61648b..cb0dd379a 100644
---- a/scd/command.c
-+++ b/scd/command.c
-@@ -1438,7 +1438,10 @@ cmd_genkey (assuan_context_t ctx, char *line)
-
- line = skip_options (line);
- if (!*line)
-- return set_error (GPG_ERR_ASS_PARAMETER, "no key number given");
-+ {
-+ err = set_error (GPG_ERR_ASS_PARAMETER, "no key number given");
-+ goto leave;
-+ }
- keyref = line;
- while (*line && !spacep (line))
- line++;
-@@ -1448,7 +1451,10 @@ cmd_genkey (assuan_context_t ctx, char *line)
- goto leave;
-
- if (!ctrl->card_ctx)
-- return gpg_error (GPG_ERR_UNSUPPORTED_OPERATION);
-+ {
-+ err = gpg_error (GPG_ERR_UNSUPPORTED_OPERATION);
-+ goto leave;
-+ }
-
- keyref = keyref_buffer = xtrystrdup (keyref);
- if (!keyref)
---
-2.30.2
-
-
-From 3b2d9059b95ddb95a9e9fbaceb2f17c8be31d229 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 13 Apr 2021 14:50:13 +0200
-Subject: [PATCH GnuPG 12/19] tools: Intialize pointer to avoid double free
-
-* tools/gpg-card.c (cmd_salut): Initialize data pointer
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- tools/gpg-card.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/gpg-card.c b/tools/gpg-card.c
-index 1889fb45c..e84d2fbb0 100644
---- a/tools/gpg-card.c
-+++ b/tools/gpg-card.c
-@@ -1785,6 +1785,7 @@ cmd_salut (card_info_t info, const char *argstr)
- {
- tty_printf (_("Error: invalid response.\n"));
- xfree (data);
-+ data = NULL;
- goto again;
- }
- }
---
-2.30.2
-
-
From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:23:31 +0200
@@ -1397,37 +318,6 @@ index cb0dd379a..9d85c5a41 100644
2.30.2
-From f45f023495cb9947b2c31b5782a4063ad317c34c Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Wed, 14 Apr 2021 18:46:48 +0200
-Subject: [PATCH GnuPG 18/19] common: Mark identical branches as intential
-
-* common/tlv-builder.c (get_tlv_length): Mark identical branches as
- inentional for coverity
-
---
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
----
- common/tlv-builder.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/common/tlv-builder.c b/common/tlv-builder.c
-index 3b644ca24..59e2691e0 100644
---- a/common/tlv-builder.c
-+++ b/common/tlv-builder.c
-@@ -350,6 +350,7 @@ get_tlv_length (int class, int tag, int constructed, size_t length)
-
- (void)constructed; /* Not used, but passed for uniformity of such calls. */
-
-+ /* coverity[identical_branches] */
- if (tag < 0x1f)
- {
- buflen++;
---
-2.30.2
-
-
From a94b0deab7c2ece2e512f87a52142454354d77b5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Apr 2021 18:49:03 +0200
diff --git a/SOURCES/gnupg-2.3.1.tar.bz2.sig b/SOURCES/gnupg-2.3.1.tar.bz2.sig
deleted file mode 100644
index 300a3fc..0000000
Binary files a/SOURCES/gnupg-2.3.1.tar.bz2.sig and /dev/null differ
diff --git a/SOURCES/gnupg-2.3.3.tar.bz2.sig b/SOURCES/gnupg-2.3.3.tar.bz2.sig
new file mode 100644
index 0000000..ddd8744
Binary files /dev/null and b/SOURCES/gnupg-2.3.3.tar.bz2.sig differ
diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
index 4ad1985..605af1d 100644
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@@ -6,8 +6,8 @@
Summary: Utility for secure communication and data storage
Name: gnupg2
-Version: 2.3.1
-Release: 3%{?dist}
+Version: 2.3.3
+Release: 1%{?dist}
License: GPLv3+
Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@@ -17,8 +17,6 @@ Patch3: gnupg-2.1.10-secmem.patch
# non-upstreamable patch adding file-is-digest option needed for Copr
# https://dev.gnupg.org/T1646
Patch4: gnupg-2.2.20-file-is-digest.patch
-# fix handling of missing key usage on ocsp replies - upstream T1333
-Patch5: gnupg-2.2.16-ocsp-keyusage.patch
Patch6: gnupg-2.1.1-fips-algo.patch
# allow 8192 bit RSA keys in keygen UI with large RSA
Patch9: gnupg-2.2.23-large-rsa.patch
@@ -63,6 +61,9 @@ Suggests: pinentry
Suggests: gnupg2-smime
+# for USB smart card support
+Suggests: pcsc-lite-ccid
+
%if %{with unversioned_gpg}
# pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
Provides: gpg = %{version}-%{release}
@@ -103,7 +104,6 @@ to the base GnuPG package
%patch3 -p1 -b .secmem
%patch4 -p1 -b .file-is-digest
-%patch5 -p1 -b .keyusage
%patch6 -p1 -b .fips
%patch9 -p1 -b .large-rsa
@@ -131,6 +131,7 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
%endif
--disable-rpath \
--enable-g13 \
+ --disable-ccid-driver \
--enable-large-secmem
# need scratch gpg database for tests
@@ -225,6 +226,12 @@ make -k check
%changelog
+* Fri Nov 19 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
+- Rebase to 2.3.1 to address random tests failures (#1984842)
+
+* Thu Nov 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-4
+- Fix --file-is-digest patch (#2024710)
+
* Wed Sep 08 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-3
- Revernt default key type back to RSA for FIPS compatibility (#2001937)