[pkg-php-pear] Security issue (CVE-2022-24953) in php-crypt-gpg 1.6.4-2

Guilhem Moulin guilhem at debian.org
Thu Feb 17 11:20:05 GMT 2022 

Dear security team,

Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG
extension before 1.6.7 for PHP does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG
versions.”

The fix is trivial:
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 .
Debdiff tested and attached.  Please let us know if you believe the
issue doesn't warrant a DSA, in that case I'll propose an upload via
s-p-u.

Cheers,
-- 
Guilhem.
-------------- next part --------------
diffstat for php-crypt-gpg-1.6.4 php-crypt-gpg-1.6.4

 changelog                                                               |    9 +
 gbp.conf                                                                |    2 
 patches/Insert-the-end-of-options-marker-before-operation-argumen.patch |   74 ++++++++++
 patches/series                                                          |    1 
 salsa-ci.yml                                                            |    1 
 5 files changed, 86 insertions(+), 1 deletion(-)

diff -Nru php-crypt-gpg-1.6.4/debian/changelog php-crypt-gpg-1.6.4/debian/changelog
--- php-crypt-gpg-1.6.4/debian/changelog	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/changelog	2022-02-17 12:02:07.000000000 +0100
@@ -1,3 +1,12 @@
+php-crypt-gpg (1.6.4-2+deb11u1) bullseye-security; urgency=high
+
+  * Backport fix for CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent
+    additional options in GPG calls, which presents a risk for certain
+    environments and GPG versions. (Closes: #1005921)
+  * d/gbp.conf, d/salsa-ci.yml: Target Bullseye release.
+
+ -- Guilhem Moulin <guilhem at debian.org>  Thu, 17 Feb 2022 12:02:07 +0100
+
 php-crypt-gpg (1.6.4-2) unstable; urgency=medium
 
   * Require phpunit ≥8 in Build-Depends.
diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf php-crypt-gpg-1.6.4/debian/gbp.conf
--- php-crypt-gpg-1.6.4/debian/gbp.conf	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/gbp.conf	2022-02-17 12:02:07.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 pristine-tar = True
 
 [import-orig]
diff -Nru php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch
--- php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch	2022-02-17 12:02:07.000000000 +0100
@@ -0,0 +1,74 @@
+From: Thomas Chauchefoin <thomas.chauchefoin at sonarsource.com>
+Date: Thu, 10 Feb 2022 08:50:44 +0100
+Subject: Insert the end-of-options marker before operation arguments.
+
+This marker stops the parsing of additional options during external
+calls to GPG. This behavior is unintended but its security impact is
+dependent on the environment and the GPG version in use.
+---
+ Crypt_GPG-1.6.4/Crypt/GPG.php         | 8 ++++----
+ Crypt_GPG-1.6.4/Crypt/GPGAbstract.php | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Crypt_GPG-1.6.4/Crypt/GPG.php b/Crypt_GPG-1.6.4/Crypt/GPG.php
+index 87d2c8e..4c70833 100644
+--- a/Crypt_GPG-1.6.4/Crypt/GPG.php
++++ b/Crypt_GPG-1.6.4/Crypt/GPG.php
+@@ -457,7 +457,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+             );
+         }
+ 
+-        $operation = '--delete-key ' . escapeshellarg($fingerprint);
++        $operation = '--delete-key -- ' . escapeshellarg($fingerprint);
+         $arguments = array(
+             '--batch',
+             '--yes'
+@@ -507,7 +507,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+             );
+         }
+ 
+-        $operation = '--delete-secret-key ' . escapeshellarg($fingerprint);
++        $operation = '--delete-secret-key -- ' . escapeshellarg($fingerprint);
+         $arguments = array(
+             '--batch',
+             '--yes'
+@@ -585,7 +585,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+     public function getFingerprint($keyId, $format = self::FORMAT_NONE)
+     {
+         $output    = '';
+-        $operation = '--list-keys ' . escapeshellarg($keyId);
++        $operation = '--list-keys -- ' . escapeshellarg($keyId);
+         $arguments = array(
+             '--with-colons',
+             '--with-fingerprint'
+@@ -1584,7 +1584,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+ 
+         $keyData   = '';
+         $operation = $private ? '--export-secret-keys' : '--export';
+-        $operation .= ' ' . escapeshellarg($fingerprint);
++        $operation .= ' -- ' . escapeshellarg($fingerprint);
+         $arguments = $armor ? array('--armor') : array();
+ 
+         $this->engine->reset();
+diff --git a/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php b/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
+index 3dafe12..2c6b4b6 100644
+--- a/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
++++ b/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
+@@ -360,7 +360,7 @@ abstract class Crypt_GPGAbstract
+         if ($keyId == '') {
+             $operation = '--list-secret-keys';
+         } else {
+-            $operation = '--utf8-strings --list-secret-keys ' . escapeshellarg($keyId);
++            $operation = '--utf8-strings --list-secret-keys -- ' . escapeshellarg($keyId);
+         }
+ 
+         // According to The file 'doc/DETAILS' in the GnuPG distribution, using
+@@ -392,7 +392,7 @@ abstract class Crypt_GPGAbstract
+         if ($keyId == '') {
+             $operation = '--list-public-keys';
+         } else {
+-            $operation = '--utf8-strings --list-public-keys ' . escapeshellarg($keyId);
++            $operation = '--utf8-strings --list-public-keys -- ' . escapeshellarg($keyId);
+         }
+ 
+         $output = '';
diff -Nru php-crypt-gpg-1.6.4/debian/patches/series php-crypt-gpg-1.6.4/debian/patches/series
--- php-crypt-gpg-1.6.4/debian/patches/series	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/patches/series	2022-02-17 12:02:07.000000000 +0100
@@ -2,3 +2,4 @@
 Fix-FTBFS-with-phpunit-8.5.13-1.patch
 Fix-FTBFS-with-phpunit-9.5.0-1.patch
 Preemptively-fix-FTBFS-with-phpunit-10.patch
+Insert-the-end-of-options-marker-before-operation-argumen.patch
diff -Nru php-crypt-gpg-1.6.4/debian/salsa-ci.yml php-crypt-gpg-1.6.4/debian/salsa-ci.yml
--- php-crypt-gpg-1.6.4/debian/salsa-ci.yml	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/salsa-ci.yml	2022-02-17 12:02:07.000000000 +0100
@@ -4,6 +4,7 @@
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
 variables:
+  RELEASE: 'bullseye'
   # dh_auto_test yields weird errors I cannot reproduce locally in a
   # clean chroot, so build under nocheck profile for now
   DEB_BUILD_OPTIONS: nocheck
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20220217/a33824c1/attachment-0001.sig>

More information about the pkg-php-pear mailing list