From b790fd4c71565df00b11fecda9fd03693fadeb09af0b32ba647d016ea9c07b0a Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Sat, 22 Nov 2025 18:40:32 +0100 Subject: [PATCH] rnp 0.18.1 CVE-2025-13470 (boo#1253957, CVE-2025-13402) As submitted in https://build.opensuse.org/requests/1319259 --- rnp-v0.18.0.tar.gz | 3 --- rnp-v0.18.0.tar.gz.asc | 7 ------- rnp-v0.18.1.tar.gz | 3 +++ rnp-v0.18.1.tar.gz.asc | 7 +++++++ rnp.changes | 8 ++++++++ rnp.keyring | 14 +++++++------- rnp.spec | 6 +++--- 7 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 rnp-v0.18.0.tar.gz delete mode 100644 rnp-v0.18.0.tar.gz.asc create mode 100644 rnp-v0.18.1.tar.gz create mode 100644 rnp-v0.18.1.tar.gz.asc diff --git a/rnp-v0.18.0.tar.gz b/rnp-v0.18.0.tar.gz deleted file mode 100644 index 7ab55b2..0000000 --- a/rnp-v0.18.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a90e3ac5b185a149665147f9284c0201a78431e81924883899244522fd3f9240 -size 4376397 diff --git a/rnp-v0.18.0.tar.gz.asc b/rnp-v0.18.0.tar.gz.asc deleted file mode 100644 index e328d00..0000000 --- a/rnp-v0.18.0.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHUEABYIAB0WIQRQ2lnVuRNPotsesgz7gpq10P4BfwUCaD395wAKCRD7gpq10P4B -f6H6AQDieDYfjsUAi+JKXu7ofP73apiiICXbmjkRh7FS3bAb5QEAhO+aCelLhf3p -HZTgepEUbnZUk6MddTJveS/gWdDlNAQ= -=SAPb ------END PGP SIGNATURE----- diff --git a/rnp-v0.18.1.tar.gz b/rnp-v0.18.1.tar.gz new file mode 100644 index 0000000..2c1ea4c --- /dev/null +++ b/rnp-v0.18.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:423c8e32e1e591462f759adf8441b1c44bca96d9f5daff13b82e81a79f18ecfd +size 4377514 diff --git a/rnp-v0.18.1.tar.gz.asc b/rnp-v0.18.1.tar.gz.asc new file mode 100644 index 0000000..8394395 --- /dev/null +++ b/rnp-v0.18.1.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHUEABYIAB0WIQRQ2lnVuRNPotsesgz7gpq10P4BfwUCaSB/8QAKCRD7gpq10P4B +f5G+AQDbdJdjbrAVGU823aCzriD0OXAgV3N+vZYfVebuE/VMsQEAkfT4n5apDx4w +F1YJDSJMcJPIP9H80l8BZK5G7WhDngs= +=ko0M +-----END PGP SIGNATURE----- diff --git a/rnp.changes b/rnp.changes index c1a5061..efbbc32 100644 --- a/rnp.changes +++ b/rnp.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sat Nov 22 09:07:35 UTC 2025 - Andreas Stieger + +- update to 0.18.1: + * CVE-2025-13470: PKESK (public-key encrypted) session keys were + generated as all-zero, allowing trivial decryption of messages + encrypted with public keys only (boo#1253957, CVE-2025-13402) + ------------------------------------------------------------------- Sun Aug 3 14:47:53 UTC 2025 - Andreas Stieger diff --git a/rnp.keyring b/rnp.keyring index a4acb2b..935d21a 100644 --- a/rnp.keyring +++ b/rnp.keyring @@ -6,11 +6,11 @@ b20+iJYEExYIAD4WIQQxr1ok2GHvy3y3mhkkkAzgrvtUFwUCYOUN0QIbAQUJbeHV gAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAkkAzgrvtUF42MAQDXfgjYWWqR PkCvVhDQEjJVETNmwSgfhG/q3pMmGSlJFQD/ZJI9KhowbzGU0/qDXDERPoR2FYB5 xx4BwotTOwketw64MwRjGxr6FgkrBgEEAdpHDwEBB0B5WpvGuJLXoMdAAIyNfOjd -Z7ittaBksxh/mfCPKcXrPoj1BBgWCAAmFiEEMa9aJNhh78t8t5oZJJAM4K77VBcF -AmMbGvoCGwIFCQPCZwAAgQkQJJAM4K77VBd2IAQZFggAHRYhBFDaWdW5E0+i2x6y -DPuCmrXQ/gF/BQJjGxr6AAoJEPuCmrXQ/gF/Zi4A/RwEZ17ZrXyn0kiY/DP6BSIt -p/6Sk9hG7KpkRqC3aaWsAQD2P6eZV6pWbhQp1C/kQYtgBbLOMUqmAg+5fMduhmaw -BDfrAP9PXS/3/h4R2UWvQ8yDv4BXztrnf61rX6re4iGpfixBZAD9FalZDJmCrdQm -toOkvaIWylfh5HgTM3lxXcO3Dz6W6QQ= -=Towq +Z7ittaBksxh/mfCPKcXrPoj1BBgWCAAmAhsCFiEEMa9aJNhh78t8t5oZJJAM4K77 +VBcFAmg90F0FCQcD6OMAgXYgBBkWCAAdFiEEUNpZ1bkTT6LbHrIM+4KatdD+AX8F +AmMbGvoACgkQ+4KatdD+AX9mLgD9HARnXtmtfKfSSJj8M/oFIi2n/pKT2EbsqmRG +oLdppawBAPY/p5lXqlZuFCnUL+RBi2AFss4xSqYCD7l8x26GZrAECRAkkAzgrvtU +F3UaAP4ibyzghsJdIpg5XHwa/4azW29Lzjnjl8KcSyeG98g6EwD/UhyV15eM8Drj +P6KdjUPYFEJFxgEEhCH5HvA8/RkbWw8= +=/0Ub -----END PGP PUBLIC KEY BLOCK----- diff --git a/rnp.spec b/rnp.spec index 5de359c..387593a 100644 --- a/rnp.spec +++ b/rnp.spec @@ -18,7 +18,7 @@ %define soname 0 Name: rnp -Version: 0.18.0 +Version: 0.18.1 Release: 0 Summary: OpenPGP implementation fully compliant with RFC 4880 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause @@ -102,9 +102,9 @@ export CXX=g++-12 %files devel %license LICENSE* %doc CHANGELOG.md README.adoc -%{_includedir}/* +%{_includedir}/rnp %{_libdir}/cmake/rnp -%{_libdir}/*.so +%{_libdir}/librnp.so %{_libdir}/pkgconfig/*.pc %{_mandir}/man3/*.3%{?ext_man} -- 2.51.1