[pkg-php-pear] Bug#1005921: CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in GPG calls

Guilhem Moulin guilhem at debian.org
Thu Feb 17 10:33:22 GMT 2022

Source: php-crypt-gpg
Version: 1.6.6-1
Severity: important
Tags: security upstream
Control: found -1 1.6.4-2
Control: found -1 1.6.6-1

Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG
extension before 1.6.7 for PHP does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG

The fix is trivial:
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 .
Dunno if that warrants a DSA, but I'll prepare & test a debdiff for
bullseye-security or s-p-u.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20220217/5e45c678/attachment.sig>

More information about the pkg-php-pear mailing list