[pkg-php-pear] Security issue (CVE-2022-24953) in php-crypt-gpg 1.6.4-2

Salvatore Bonaccorso carnil at debian.org
Fri Feb 18 20:21:05 GMT 2022


Hi Guilhem,

On Thu, Feb 17, 2022 at 12:20:05PM +0100, Guilhem Moulin wrote:
> Dear security team,
> 
> Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG
> extension before 1.6.7 for PHP does not prevent additional options in
> GPG calls, which presents a risk for certain environments and GPG
> versions.”
> 
> The fix is trivial:
> https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 .
> Debdiff tested and attached.  Please let us know if you believe the
> issue doesn't warrant a DSA, in that case I'll propose an upload via
> s-p-u.

Gut feeling here on the issue: It should be enough to schedule a fix
for this issue via the upcoming point release for bullseye.

Regards,
Salvatore



More information about the pkg-php-pear mailing list