From 0d9dd8008092ace3c47044feb367da0505e11bdb Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Tue, 3 Feb 2026 16:53:56 +0000
Subject: [PATCH] Patch gnupg2 for CVE-2026-24882

---
 SPECS/gnupg2/CVE-2026-24882.patch             | 64 +++++++++++++++++++
 SPECS/gnupg2/gnupg2.spec                      |  6 +-
 .../manifests/package/pkggen_core_aarch64.txt |  4 +-
 .../manifests/package/pkggen_core_x86_64.txt  |  4 +-
 .../manifests/package/toolchain_aarch64.txt   |  6 +-
 .../manifests/package/toolchain_x86_64.txt    |  6 +-
 6 files changed, 79 insertions(+), 11 deletions(-)
 create mode 100644 SPECS/gnupg2/CVE-2026-24882.patch

diff --git a/SPECS/gnupg2/CVE-2026-24882.patch b/SPECS/gnupg2/CVE-2026-24882.patch
new file mode 100644
index 00000000000..45e8d46f7c6
--- /dev/null
+++ b/SPECS/gnupg2/CVE-2026-24882.patch
@@ -0,0 +1,64 @@
+From 533e8ed19223d13208cf7ebbc0d93a70414396fa Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 26 Jan 2026 11:13:44 +0100
+Subject: [PATCH] tpm: Fix possible buffer overflow in PKDECRYPT
+
+* tpm2d/tpm2.c (tpm2_ecc_decrypt): Bail out on too long CIPHERTEXT.
+(tpm2_rsa_decrypt): Ditto.
+--
+
+GnuPG-bug-id: 8045
+Co-authored-by: NIIBE Yutaka <gniibe@fsij.org>
+Reported-by: OpenAI Security Research
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/gpg/gnupg/commit/93fa34d9a346.patch
+---
+ tpm2d/tpm2.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index 3e908dd..cd0347c 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -917,10 +917,20 @@ tpm2_ecc_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   size_t len;
+   int ret;
+ 
++#if defined(TPM2_MAX_ECC_KEY_BYTES) /* Intel stack */
++  if (ciphertext_len > 2*TPM2_MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_ECC_KEY_BYTES)    /* IBM stack */
++  if (ciphertext_len > 2*MAX_ECC_KEY_BYTES + 1)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   /* This isn't really a decryption per se.  The ciphertext actually
+    * contains an EC Point which we must multiply by the private key number.
+    *
+-   * The reason is to generate a diffe helman agreement on a shared
++   * The reason is to generate a diffie-hellman agreement on a shared
+    * point.  This shared point is then used to generate the per
+    * session encryption key.
+    */
+@@ -976,6 +986,16 @@ tpm2_rsa_decrypt (ctrl_t ctrl, TSS_CONTEXT *tssc, TPM_HANDLE key,
+   TPM_HANDLE ah;
+   char *auth;
+ 
++#if defined(TPM2_MAX_RSA_KEY_BYTES)  /* Intel stack */
++  if (ciphertext_len > TPM2_MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#elif defined(MAX_RSA_KEY_BYTES)     /* IBM stack */
++  if (ciphertext_len > MAX_RSA_KEY_BYTES)
++    return GPG_ERR_TOO_LARGE;
++#else
++# error TMP2 header are not correctly installed
++#endif
++
+   inScheme.scheme = TPM_ALG_RSAES;
+   /*
+    * apparent gcrypt error: occasionally rsa ciphertext will
+-- 
+2.45.4
+
diff --git a/SPECS/gnupg2/gnupg2.spec b/SPECS/gnupg2/gnupg2.spec
index 1be2df54c6a..4b21e4f3459 100644
--- a/SPECS/gnupg2/gnupg2.spec
+++ b/SPECS/gnupg2/gnupg2.spec
@@ -1,13 +1,14 @@
 Summary:        OpenPGP standard implementation used for encrypted communication and data storage.
 Name:           gnupg2
 Version:        2.4.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD and CC0 and GPLv2+ and LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Cryptography.
 URL:            https://gnupg.org/index.html
 Source0:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+Patch0:         CVE-2026-24882.patch
 BuildRequires:  zlib-devel
 BuildRequires:  bzip2-devel
 BuildRequires:  readline-devel
@@ -89,6 +90,9 @@ ln -s $(pwd)/bin/gpg $(pwd)/bin/gpg2
 %defattr(-,root,root)
 
 %changelog
+* Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.4.0-3
+- Patch for CVE-2026-24882
+
 * Tue Mar 21 2023 Muhammad Falak <mwani@microsoft.com> - 2.4.0-2
 - Add correct version for libgpg-error-devel as a BR
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index ce5e23dbc23..7b92f92216b 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -221,8 +221,8 @@ libksba-devel-1.6.3-1.cm2.aarch64.rpm
 libxslt-1.1.34-10.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm
 pinentry-1.2.0-1.cm2.aarch64.rpm
-gnupg2-2.4.0-2.cm2.aarch64.rpm
-gnupg2-lang-2.4.0-2.cm2.aarch64.rpm
+gnupg2-2.4.0-3.cm2.aarch64.rpm
+gnupg2-lang-2.4.0-3.cm2.aarch64.rpm
 gpgme-1.16.0-2.cm2.aarch64.rpm
 mariner-repos-shared-2.0-9.cm2.noarch.rpm
 mariner-repos-2.0-9.cm2.noarch.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index a13e15a8c5a..c18db6b7c9e 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -221,8 +221,8 @@ libksba-devel-1.6.3-1.cm2.x86_64.rpm
 libxslt-1.1.34-10.cm2.x86_64.rpm
 npth-1.6-4.cm2.x86_64.rpm
 pinentry-1.2.0-1.cm2.x86_64.rpm
-gnupg2-2.4.0-2.cm2.x86_64.rpm
-gnupg2-lang-2.4.0-2.cm2.x86_64.rpm
+gnupg2-2.4.0-3.cm2.x86_64.rpm
+gnupg2-lang-2.4.0-3.cm2.x86_64.rpm
 gpgme-1.16.0-2.cm2.x86_64.rpm
 mariner-repos-shared-2.0-9.cm2.noarch.rpm
 mariner-repos-2.0-9.cm2.noarch.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 352f35adab2..aca5549f846 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -118,9 +118,9 @@ glibc-tools-2.35-7.cm2.aarch64.rpm
 gmp-6.2.1-4.cm2.aarch64.rpm
 gmp-debuginfo-6.2.1-4.cm2.aarch64.rpm
 gmp-devel-6.2.1-4.cm2.aarch64.rpm
-gnupg2-2.4.0-2.cm2.aarch64.rpm
-gnupg2-debuginfo-2.4.0-2.cm2.aarch64.rpm
-gnupg2-lang-2.4.0-2.cm2.aarch64.rpm
+gnupg2-2.4.0-3.cm2.aarch64.rpm
+gnupg2-debuginfo-2.4.0-3.cm2.aarch64.rpm
+gnupg2-lang-2.4.0-3.cm2.aarch64.rpm
 gperf-3.1-5.cm2.aarch64.rpm
 gperf-debuginfo-3.1-5.cm2.aarch64.rpm
 gpgme-1.16.0-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index b434ffe6641..eeb217d98ff 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -123,9 +123,9 @@ glibc-tools-2.35-7.cm2.x86_64.rpm
 gmp-6.2.1-4.cm2.x86_64.rpm
 gmp-debuginfo-6.2.1-4.cm2.x86_64.rpm
 gmp-devel-6.2.1-4.cm2.x86_64.rpm
-gnupg2-2.4.0-2.cm2.x86_64.rpm
-gnupg2-debuginfo-2.4.0-2.cm2.x86_64.rpm
-gnupg2-lang-2.4.0-2.cm2.x86_64.rpm
+gnupg2-2.4.0-3.cm2.x86_64.rpm
+gnupg2-debuginfo-2.4.0-3.cm2.x86_64.rpm
+gnupg2-lang-2.4.0-3.cm2.x86_64.rpm
 gperf-3.1-5.cm2.x86_64.rpm
 gperf-debuginfo-3.1-5.cm2.x86_64.rpm
 gpgme-1.16.0-2.cm2.x86_64.rpm