Bug#1006010: bullseye-pu: package php-crypt-gpg/1.6.4-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions. The Security Team decided it didn't warrant a DSA and suggested an upload via -pu instead. [ Impact ] API calls don't validate arguments so a call to e.g. getFingerprint() could be tricked into performing another command, producing erroneous output or possibly yielding information leak. [ Tests ] Units tests, both build-time and autopkgtests, cover all changes. [ Risks ] The fix is trivial and simply prepends user-supplied gpg(1) arguments with ‘--’ to avoid interpreting them as commands or flags/options. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable (php-crypt-gpg/1.6.4-2) [x] the issue is verified as fixed in unstable [ Changes ] d/p/Insert-the-end-of-options-marker-before-operation-argumen.patch is merely the upstream fix https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 d/gbp.conf, d/salsa-ci.yml are also adjusted to target Bullseye. -- Guilhem. diffstat for php-crypt-gpg-1.6.4 php-crypt-gpg-1.6.4 changelog |9 + gbp.conf|2 patches/Insert-the-end-of-options-marker-before-operation-argumen.patch | 74 ++ patches/series |1 salsa-ci.yml|1 5 files changed, 86 insertions(+), 1 deletion(-) diff -Nru php-crypt-gpg-1.6.4/debian/changelog php-crypt-gpg-1.6.4/debian/changelog --- php-crypt-gpg-1.6.4/debian/changelog2021-01-07 16:05:51.0 +0100 +++ php-crypt-gpg-1.6.4/debian/changelog2022-02-18 22:17:29.0 +0100 @@ -1,3 +1,12 @@ +php-crypt-gpg (1.6.4-2+deb11u1) bullseye; urgency=high + + * Backport fix for CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent +additional options in GPG calls, which presents a risk for certain +environments and GPG versions. (Closes: #1005921) + * d/gbp.conf, d/salsa-ci.yml: Target Bullseye release. + + -- Guilhem Moulin Fri, 18 Feb 2022 22:17:29 +0100 + php-crypt-gpg (1.6.4-2) unstable; urgency=medium * Require phpunit ≥8 in Build-Depends. diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf php-crypt-gpg-1.6.4/debian/gbp.conf --- php-crypt-gpg-1.6.4/debian/gbp.conf 2021-01-07 16:05:51.0 +0100 +++ php-crypt-gpg-1.6.4/debian/gbp.conf 2022-02-18 22:17:29.0 +0100 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = debian/latest +debian-branch = debian/bullseye pristine-tar = True [import-orig] diff -Nru php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch --- php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch 1970-01-01 01:00:00.0 +0100 +++ php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch 2022-02-18 22:17:29.0 +0100 @@ -0,0 +1,74 @@ +From: Thomas Chauchefoin +Date: Thu, 10 Feb 2022 08:50:44 +0100 +Subject: Insert the end-of-options marker before operation arguments. + +This marker stops the parsing of additional options during external +calls to GPG. This behavior is unintended but its security impact is +dependent on the environment and the GPG version in use. +--- + Crypt_GPG-1.6.4/Crypt/GPG.php | 8 + Crypt_GPG-1.6.4/Crypt/GPGAbstract.php | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/Crypt_GPG-1.6.4/Crypt/GPG.php b/Crypt_GPG-1.6.4/Crypt/GPG.php +index 87d2c8e..4c70833 100644 +--- a/Crypt_GPG-1.6.4/Crypt/GPG.php b/Crypt_GPG-1.6.4/Crypt/GPG.php +@@ -457,7 +457,7 @@ class Crypt_GPG extends Crypt_GPGAbstract + ); + } + +-$operation = '--delete-key ' . escapeshellarg($fingerprint); ++$operation = '--delete-key -- ' . escapeshellarg($fingerprint); + $arguments = array( + '--batch', + '--yes' +@@ -507,7 +507,7 @@ class Crypt_GPG extends Crypt_GPGAbstract + ); + } + +-$operation = '--delete-secret-key ' . escapeshellarg($fingerprint); ++$operation = '--delete-secret-key -- ' . escapeshellarg($fingerprint); + $arguments = array( + '--batch', + '--yes' +@@ -585,7 +585,7 @@ class Crypt_GPG extends Crypt_GPGAbstract + public function getFingerprint($keyId, $format = self::FORMAT_NONE) + { + $output= ''; +-$operation = '--list-keys ' .
Bug#1004915: transition: ruby2.7-rm
Hi, On 18-02-2022 21:18, Lucas Kanashiro wrote: https://buildd.debian.org/status/package.php?p=graphviz https://buildd.debian.org/status/package.php?p=hivex I am not sure about graphviz Sorry, my mistake. I didn't schedule this one (yet) because of libwebp7. but for hivex I submitted a MR to fix this issue: https://salsa.debian.org/libvirt-team/hivex/-/merge_requests/1 Thanks. Also the autopkgtest regressions don't look pretty yet, did you already have a look: https://qa.debian.org/excuses.php?package=ruby-defaults I'll try to take a look at this list and see what's going on. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1004915: transition: ruby2.7-rm
Hi, Em 18/02/2022 16:43, Paul Gevers escreveu: Hi Lucas, Antonio, On 17-02-2022 20:11, Lucas Kanashiro wrote: I just uploaded ruby-defaults/1:3.0 to unstable, it should be available soon. I started scheduling jobs. I already noticed some that *didn't* pick up the new dependency, can you have a look: https://buildd.debian.org/status/package.php?p=graphviz https://buildd.debian.org/status/package.php?p=hivex I am not sure about graphviz but for hivex I submitted a MR to fix this issue: https://salsa.debian.org/libvirt-team/hivex/-/merge_requests/1 Also the autopkgtest regressions don't look pretty yet, did you already have a look: https://qa.debian.org/excuses.php?package=ruby-defaults I'll try to take a look at this list and see what's going on. -- Lucas Kanashiro
Bug#1004915: transition: ruby2.7-rm
Hi Lucas, Antonio, On 17-02-2022 20:11, Lucas Kanashiro wrote: I just uploaded ruby-defaults/1:3.0 to unstable, it should be available soon. I started scheduling jobs. I already noticed some that *didn't* pick up the new dependency, can you have a look: https://buildd.debian.org/status/package.php?p=graphviz https://buildd.debian.org/status/package.php?p=hivex Also the autopkgtest regressions don't look pretty yet, did you already have a look: https://qa.debian.org/excuses.php?package=ruby-defaults Paul OpenPGP_signature Description: OpenPGP digital signature
NEW changes in oldstable-new
Processing changes file: h2database_1.4.197-4+deb10u1_source.changes ACCEPT Processing changes file: h2database_1.4.197-4+deb10u1_all-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_source.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_amd64-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_armel-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_i386-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_mips-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_source.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_amd64-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_armel-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_i386-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_mips-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: h2database_1.4.197-4+deb11u1_source.changes ACCEPT Processing changes file: h2database_1.4.197-4+deb11u1_all-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_source.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_all-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_armel-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_i386-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_s390x-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_source.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_all-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_armel-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_i386-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_s390x-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_source.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_all-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_armel-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_i386-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_s390x-buildd.changes ACCEPT
Bug#1006000: transition: draco
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I would like to transition draco for its new SONAME. The Ben tracker at https://release.debian.org/transitions/html/auto-draco.html looks fine. I rebuilt all reverse dependencies on amd64 successfully. Cheers Timo -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmIP7igACgkQ+C8H+466 LVmh9gwAwzoncl2MZpdYBiMAmFo2PyIUWLEDaDaVw92lmSr4+j7tm2ziycneToWF aby8OMO2uaYuN1F2U6w1pasL8iG7/pSAb3H41y0Hk15rVre2872JWbxZjuiUzqoi 2Cgfq9duyurIissI/LbQUWwSaftZWMvh0D47yS2KHBb0riyW6qLz31UWoWruTIch BCHZd/rAcoMqleTCS7yyHwU2zzcqHVxiZO/h09Ca8TiLLpRSWV/+CENXYpWjddy/ 7XK//jk2Ho/J+TrZ6L87vJnjAj7dqHN4BHC2NmgjnXdGZqM5GtjjWLbLa4gZkc8W xMRsXOx9O9OOMLee3rrsz/zcDM+NsCVdxFC/gMXFCQwyLpQYJyBMastmutFLqj31 jlZcs94uNLe1pna52SdyuHaCA1ySXTUSTiT+7OUQUsSjKypwPer31WiVGc+GzWFu SWP9ggdOgqFIO5V5PJ8Fg1R+J8YOG/I8xaiP9S8HHM35qiikpboSzdGwE1+Cl6Lu QgsJNY/r =KDXa -END PGP SIGNATURE-
Bug#1003548: transition: libwebp
On 2022-02-16 20:49:44, Jeff Breidenbach wrote: > libwebp 1.2.1-7 has been successfully uploaded to unstable. > > Anthony and Iustin, help is very strongly appreciated for the NMUs. Almost all reverse dependencies have successfully been rebuilt against libwebp7. Packages failing to build are weston (#998603) and openimageio (#1003470). Cheers -- Sebastian Ramacher