Gpgtools MacGPG2 → 2.2.24

Noteworthy changes in version 2.2.23

This version fixes a critical security bug in
versions 2.2.21 and 2.2.22.

Impact

These versions are affected:

• GnuPG 2.2.21 (released 2020-07-09)
• GnuPG 2.2.22 (released 2020-08-27)
• Gpg4win 3.1.12 (released 2020-07-24)

All other versions are not affected.

Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.

Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.

A CVE-id has not yet been assigned. We track this bug at
https://dev.gnupg.org/T5050

• gpg: Fix AEAD preference list overflow. [#5050]

• gpg: Fix a possible segv in the key cleaning code.

• gpgsm: Fix a minor RFC2253 parser bug. [#5037]

• scdaemon: Fix a PIN verify failure on certain OpenPGP card implementations. Regression in 2.2.22. [#5039]

• po: Fix bug in the Hungarian translation. Updates for the Czech, Polish, and Ukrainian translations.

  Release-info: https://dev.gnupg.org/T5045

Noteworthy changes in version 2.2.22

• gpg: Change the default key algorithm to rsa3072.

• gpg: Add regular expression support for Trust Signatures on all platforms. [#4843]

• gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat option. [#4991]

• gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021]

• gpgsm: Make rsaPSS a de-vs compliant scheme.

• gpgsm: Show also the SHA256 fingerprint in key listings.

• gpgsm: Do not require a default keyring for --gpgconf-list. [#4867]

• gpg-agent: Default to extended key format and record the creation time of keys. Add new option --disable-extended-key-format.

• gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016]

• gpg-agent: Allow using --gpgconf-list even if HOME does not exist. [#4866]

• gpg-agent: Make the Pinentry work even if the envvar TERM is set to the empty string. [#4137]

• scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly incremented the error counter when using the "verify" command of "gpg --edit-key" with only the signature key being present.

• dirmngr: Better handle systems with disabled IPv6. [#4977]

• gpgpslit: Install tool. It was not installed in the past to avoid conflicts with the version installed by GnuPG 1.4. [#5023]

• gpgtar: Handle Unicode file names on Windows correctly (requires libgpg-error 1.39). [#4083]

• gpgtar: Make --files-from and --null work as documented. [#5027]

• Build the Windows installer with the new Ntbtls 0.2.0 so that TLS connections succeed for servers demanding GCM.

  Release-info: https://dev.gnupg.org/T5030