Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in GPG calls

Related Vulnerabilities: CVE-2022-24953  

Source

Debian Bug report logs - #1005921
CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in GPG calls

version graph

Package: src:php-crypt-gpg; Maintainer for src:php-crypt-gpg is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>;

Reported by: Guilhem Moulin <guilhem@debian.org>

Date: Thu, 17 Feb 2022 10:36:02 UTC

Severity: important

Tags: security, upstream

Found in versions php-crypt-gpg/1.6.4-2, php-crypt-gpg/1.6.6-1

Fixed in version php-crypt-gpg/1.6.7-1

Done: Guilhem Moulin <guilhem@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#1005921; Package src:php-crypt-gpg. (Thu, 17 Feb 2022 10:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Thu, 17 Feb 2022 10:36:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in GPG calls
Date: Thu, 17 Feb 2022 11:33:22 +0100
[Message part 1 (text/plain, inline)]
Source: php-crypt-gpg
Version: 1.6.6-1
Severity: important
Tags: security upstream
Control: found -1 1.6.4-2
Control: found -1 1.6.6-1

Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG
extension before 1.6.7 for PHP does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG
versions.”

The fix is trivial:
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 .
Dunno if that warrants a DSA, but I'll prepare & test a debdiff for
bullseye-security or s-p-u.

-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions php-crypt-gpg/1.6.4-2. Request was from Guilhem Moulin <guilhem@debian.org> to submit@bugs.debian.org. (Thu, 17 Feb 2022 10:36:04 GMT) (full text, mbox, link).

Reply sent to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility. (Thu, 17 Feb 2022 11:24:02 GMT) (full text, mbox, link).

Notification sent to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer. (Thu, 17 Feb 2022 11:24:02 GMT) (full text, mbox, link).

Message #12 received at 1005921-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1005921-close@bugs.debian.org
Subject: Bug#1005921: fixed in php-crypt-gpg 1.6.7-1
Date: Thu, 17 Feb 2022 11:20:18 +0000
Source: php-crypt-gpg
Source-Version: 1.6.7-1
Done: Guilhem Moulin <guilhem@debian.org>

We believe that the bug you reported is fixed in the latest version of
php-crypt-gpg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1005921@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated php-crypt-gpg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 17 Feb 2022 11:36:52 +0100
Source: php-crypt-gpg
Architecture: source
Version: 1.6.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1005921
Changes:
 php-crypt-gpg (1.6.7-1) unstable; urgency=high
 .
   * New upstream bugfix/security release, with fix for CVE-2022-24953:
     Crypt_GPG <1.6.7 does not prevent additional options in GPG calls, which
     presents a risk for certain environments and GPG versions.
     (Closes: #1005921)
 .
   [ Guilhem Moulin ]
   * d/watch: Use substitution strings.
   * Update standards version to 4.6.0, no changes needed.
   * Override lintian's 'very-long-line-length-in-source-file' tag for
     tests/data-files.
Checksums-Sha1:
 c27d39506dc5ac8504bcd1edc9ca78ce5bfa3d8f 2244 php-crypt-gpg_1.6.7-1.dsc
 09dbf1918f170dafde17094d4c014891fc30370c 343957 php-crypt-gpg_1.6.7.orig.tar.gz
 7ab1d293248b0cfe7dcb17dd465bc0feb6d43bb5 6580 php-crypt-gpg_1.6.7-1.debian.tar.xz
 4a0c95638d30a9da86bd73dca041bcb4d904ee0e 8043 php-crypt-gpg_1.6.7-1_amd64.buildinfo
Checksums-Sha256:
 14a09b769e04a2511f362712c1fe2c8817f59142ce068acdf9dc5e6aabcda8c1 2244 php-crypt-gpg_1.6.7-1.dsc
 50bbc63a501bc379adeb0d2b88b50511fcac16f83776ed517a8947a0dcbd6334 343957 php-crypt-gpg_1.6.7.orig.tar.gz
 3f0e3b143a163e83b5265508ba809d2c73f38f81f1898be50b14deaa9e146f49 6580 php-crypt-gpg_1.6.7-1.debian.tar.xz
 bf2e676ffdd5b483cdd681d99a18c3cf9928f5332edd18c641eaf25eb56ef2b8 8043 php-crypt-gpg_1.6.7-1_amd64.buildinfo
Files:
 f41ab90ac472fcff96a5193540a000b6 2244 php optional php-crypt-gpg_1.6.7-1.dsc
 69ea135cf475d2f006adaecbf14ff926 343957 php optional php-crypt-gpg_1.6.7.orig.tar.gz
 38bb4c1374b1a3c29d963dce0892853f 6580 php optional php-crypt-gpg_1.6.7-1.debian.tar.xz
 5dd59206e16a8d94c6f3b08bec7f2f6f 8043 php optional php-crypt-gpg_1.6.7-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmIOKEIACgkQ05pJnDwh
pVIYaA//Vy9UWuayfClww15AwcabbEN/hm7Df9cTsEqqDUJek5zFOFPDK9RaUstt
bBb3/MBEHzXPxnKpzzmrLB1i+iKKs/yzqvZ2vwGGu4vfRDIfykaOTbh9XkAVelth
Qhas0GTIFZMRpoRO5BlZa7yJmI7V4yb3wur5E7PEfA5OKh90f8+KS5V2N8crnMcp
QzKIzSKS7K8WgjPtGIxbexH9KBZHpQXccuPCpvp1D7MltUFzsiya9g/2FSWpqszn
OoKPogcWySC4+iwnA7YiIZsEgWdMaZVsnFMnH3jlsmD0q9XPLcndrRAwtWNJHh8h
GFbFQbsC82UMJ6K2KtXRsvJ9FiR8vRXjEv8hpaKXoeJVZB1DU2L9LnLir9FdczX+
QSzMrsIKiUJmLgohXvd0000R4ph4HNfhaY7TpMnPn25D2mXhRYOyN4l84YsEmMoU
MVC1xwAOfysBl43DLR6/yjzc4gfgOkWmcPbwCGhcLOLSPaYeqBRXRNt5hAAv703z
K/As7raTHgloKO1JuqI/Km4yAxivgerTFpN00Buk73QPpZ+HfR0DXISonUYrtQ6e
NaVU7vUhoXivGnSvVKvRPgNUv27+gAxP4Ajecx5vgZdh0Lwp+5nD2v2YWbzm4veq
2CYqD/jD1VSxmt9NudZZ5WY1MHaIzNDXZ7zjSZx4lNIUJHUs0EE=
=vnae
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Feb 17 17:29:21 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started