Bug#1006010: bullseye-pu: package php-crypt-gpg/1.6.4-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG
versions.
The Security Team decided it didn't warrant a DSA and suggested an
upload via -pu instead.
[ Impact ]
API calls don't validate arguments so a call to e.g. getFingerprint()
could be tricked into performing another command, producing erroneous
output or possibly yielding information leak.
[ Tests ]
Units tests, both build-time and autopkgtests, cover all changes.
[ Risks ]
The fix is trivial and simply prepends user-supplied gpg(1) arguments
with ‘--’ to avoid interpreting them as commands or flags/options.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable (php-crypt-gpg/1.6.4-2)
[x] the issue is verified as fixed in unstable
[ Changes ]
d/p/Insert-the-end-of-options-marker-before-operation-argumen.patch is
merely the upstream fix
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04
d/gbp.conf, d/salsa-ci.yml are also adjusted to target Bullseye.
--
Guilhem.
diffstat for php-crypt-gpg-1.6.4 php-crypt-gpg-1.6.4
changelog |9
+
gbp.conf|2
patches/Insert-the-end-of-options-marker-before-operation-argumen.patch | 74
++
patches/series |1
salsa-ci.yml|1
5 files changed, 86 insertions(+), 1 deletion(-)
diff -Nru php-crypt-gpg-1.6.4/debian/changelog
php-crypt-gpg-1.6.4/debian/changelog
--- php-crypt-gpg-1.6.4/debian/changelog2021-01-07 16:05:51.0
+0100
+++ php-crypt-gpg-1.6.4/debian/changelog2022-02-18 22:17:29.0
+0100
@@ -1,3 +1,12 @@
+php-crypt-gpg (1.6.4-2+deb11u1) bullseye; urgency=high
+
+ * Backport fix for CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent
+additional options in GPG calls, which presents a risk for certain
+environments and GPG versions. (Closes: #1005921)
+ * d/gbp.conf, d/salsa-ci.yml: Target Bullseye release.
+
+ -- Guilhem Moulin Fri, 18 Feb 2022 22:17:29 +0100
+
php-crypt-gpg (1.6.4-2) unstable; urgency=medium
* Require phpunit ≥8 in Build-Depends.
diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf
php-crypt-gpg-1.6.4/debian/gbp.conf
--- php-crypt-gpg-1.6.4/debian/gbp.conf 2021-01-07 16:05:51.0 +0100
+++ php-crypt-gpg-1.6.4/debian/gbp.conf 2022-02-18 22:17:29.0 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
pristine-tar = True
[import-orig]
diff -Nru
php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch
php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch
---
php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch
1970-01-01 01:00:00.0 +0100
+++
php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch
2022-02-18 22:17:29.0 +0100
@@ -0,0 +1,74 @@
+From: Thomas Chauchefoin
+Date: Thu, 10 Feb 2022 08:50:44 +0100
+Subject: Insert the end-of-options marker before operation arguments.
+
+This marker stops the parsing of additional options during external
+calls to GPG. This behavior is unintended but its security impact is
+dependent on the environment and the GPG version in use.
+---
+ Crypt_GPG-1.6.4/Crypt/GPG.php | 8
+ Crypt_GPG-1.6.4/Crypt/GPGAbstract.php | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Crypt_GPG-1.6.4/Crypt/GPG.php b/Crypt_GPG-1.6.4/Crypt/GPG.php
+index 87d2c8e..4c70833 100644
+--- a/Crypt_GPG-1.6.4/Crypt/GPG.php
b/Crypt_GPG-1.6.4/Crypt/GPG.php
+@@ -457,7 +457,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+ );
+ }
+
+-$operation = '--delete-key ' . escapeshellarg($fingerprint);
++$operation = '--delete-key -- ' . escapeshellarg($fingerprint);
+ $arguments = array(
+ '--batch',
+ '--yes'
+@@ -507,7 +507,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+ );
+ }
+
+-$operation = '--delete-secret-key ' . escapeshellarg($fingerprint);
++$operation = '--delete-secret-key -- ' . escapeshellarg($fingerprint);
+ $arguments = array(
+ '--batch',
+ '--yes'
+@@ -585,7 +585,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+ public function getFingerprint($keyId, $format = self::FORMAT_NONE)
+ {
+ $output= '';
+-$operation = '--list-keys ' .
Bug#1004915: transition: ruby2.7-rm
Hi, On 18-02-2022 21:18, Lucas Kanashiro wrote: https://buildd.debian.org/status/package.php?p=graphviz https://buildd.debian.org/status/package.php?p=hivex I am not sure about graphviz Sorry, my mistake. I didn't schedule this one (yet) because of libwebp7. but for hivex I submitted a MR to fix this issue: https://salsa.debian.org/libvirt-team/hivex/-/merge_requests/1 Thanks. Also the autopkgtest regressions don't look pretty yet, did you already have a look: https://qa.debian.org/excuses.php?package=ruby-defaults I'll try to take a look at this list and see what's going on. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1004915: transition: ruby2.7-rm
Hi, Em 18/02/2022 16:43, Paul Gevers escreveu: Hi Lucas, Antonio, On 17-02-2022 20:11, Lucas Kanashiro wrote: I just uploaded ruby-defaults/1:3.0 to unstable, it should be available soon. I started scheduling jobs. I already noticed some that *didn't* pick up the new dependency, can you have a look: https://buildd.debian.org/status/package.php?p=graphviz https://buildd.debian.org/status/package.php?p=hivex I am not sure about graphviz but for hivex I submitted a MR to fix this issue: https://salsa.debian.org/libvirt-team/hivex/-/merge_requests/1 Also the autopkgtest regressions don't look pretty yet, did you already have a look: https://qa.debian.org/excuses.php?package=ruby-defaults I'll try to take a look at this list and see what's going on. -- Lucas Kanashiro
Bug#1004915: transition: ruby2.7-rm
Hi Lucas, Antonio, On 17-02-2022 20:11, Lucas Kanashiro wrote: I just uploaded ruby-defaults/1:3.0 to unstable, it should be available soon. I started scheduling jobs. I already noticed some that *didn't* pick up the new dependency, can you have a look: https://buildd.debian.org/status/package.php?p=graphviz https://buildd.debian.org/status/package.php?p=hivex Also the autopkgtest regressions don't look pretty yet, did you already have a look: https://qa.debian.org/excuses.php?package=ruby-defaults Paul OpenPGP_signature Description: OpenPGP digital signature
NEW changes in oldstable-new
Processing changes file: h2database_1.4.197-4+deb10u1_source.changes ACCEPT Processing changes file: h2database_1.4.197-4+deb10u1_all-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_source.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_amd64-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_armel-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_i386-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_mips-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: minetest_0.4.17.1+repack-1+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_source.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_amd64-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_armel-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_i386-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_mips-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: zsh_5.7.1-1+deb10u1_s390x-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: h2database_1.4.197-4+deb11u1_source.changes ACCEPT Processing changes file: h2database_1.4.197-4+deb11u1_all-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_source.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_all-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_armel-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_i386-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: librecad_2.1.3-1.3+deb11u1_s390x-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_source.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_all-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_armel-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_i386-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: minetest_5.3.0+repack-2.1+deb11u1_s390x-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_source.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_all-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_armel-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_i386-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: zsh_5.8-6+deb11u1_s390x-buildd.changes ACCEPT
Bug#1006000: transition: draco
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, I would like to transition draco for its new SONAME. The Ben tracker at https://release.debian.org/transitions/html/auto-draco.html looks fine. I rebuilt all reverse dependencies on amd64 successfully. Cheers Timo -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmIP7igACgkQ+C8H+466 LVmh9gwAwzoncl2MZpdYBiMAmFo2PyIUWLEDaDaVw92lmSr4+j7tm2ziycneToWF aby8OMO2uaYuN1F2U6w1pasL8iG7/pSAb3H41y0Hk15rVre2872JWbxZjuiUzqoi 2Cgfq9duyurIissI/LbQUWwSaftZWMvh0D47yS2KHBb0riyW6qLz31UWoWruTIch BCHZd/rAcoMqleTCS7yyHwU2zzcqHVxiZO/h09Ca8TiLLpRSWV/+CENXYpWjddy/ 7XK//jk2Ho/J+TrZ6L87vJnjAj7dqHN4BHC2NmgjnXdGZqM5GtjjWLbLa4gZkc8W xMRsXOx9O9OOMLee3rrsz/zcDM+NsCVdxFC/gMXFCQwyLpQYJyBMastmutFLqj31 jlZcs94uNLe1pna52SdyuHaCA1ySXTUSTiT+7OUQUsSjKypwPer31WiVGc+GzWFu SWP9ggdOgqFIO5V5PJ8Fg1R+J8YOG/I8xaiP9S8HHM35qiikpboSzdGwE1+Cl6Lu QgsJNY/r =KDXa -END PGP SIGNATURE-
Bug#1003548: transition: libwebp
On 2022-02-16 20:49:44, Jeff Breidenbach wrote: > libwebp 1.2.1-7 has been successfully uploaded to unstable. > > Anthony and Iustin, help is very strongly appreciated for the NMUs. Almost all reverse dependencies have successfully been rebuilt against libwebp7. Packages failing to build are weston (#998603) and openimageio (#1003470). Cheers -- Sebastian Ramacher
