[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1006010: bullseye-pu: package php-crypt-gpg/1.6.4-2+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG
versions.

The Security Team decided it didn't warrant a DSA and suggested an
upload via -pu instead.

[ Impact ]

API calls don't validate arguments so a call to e.g. getFingerprint()
could be tricked into performing another command, producing erroneous
output or possibly yielding information leak.

[ Tests ]

Units tests, both build-time and autopkgtests, cover all changes.

[ Risks ]

The fix is trivial and simply prepends user-supplied gpg(1) arguments
with ‘--’ to avoid interpreting them as commands or flags/options.

[ Checklist ]

  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable (php-crypt-gpg/1.6.4-2)
  [x] the issue is verified as fixed in unstable

[ Changes ]

d/p/Insert-the-end-of-options-marker-before-operation-argumen.patch is
merely the upstream fix
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04

d/gbp.conf, d/salsa-ci.yml are also adjusted to target Bullseye.

-- 
Guilhem.

diffstat for php-crypt-gpg-1.6.4 php-crypt-gpg-1.6.4

 changelog                                                               |    9 +
 gbp.conf                                                                |    2 
 patches/Insert-the-end-of-options-marker-before-operation-argumen.patch |   74 ++++++++++
 patches/series                                                          |    1 
 salsa-ci.yml                                                            |    1 
 5 files changed, 86 insertions(+), 1 deletion(-)

diff -Nru php-crypt-gpg-1.6.4/debian/changelog php-crypt-gpg-1.6.4/debian/changelog
--- php-crypt-gpg-1.6.4/debian/changelog	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/changelog	2022-02-18 22:17:29.000000000 +0100
@@ -1,3 +1,12 @@
+php-crypt-gpg (1.6.4-2+deb11u1) bullseye; urgency=high
+
+  * Backport fix for CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent
+    additional options in GPG calls, which presents a risk for certain
+    environments and GPG versions. (Closes: #1005921)
+  * d/gbp.conf, d/salsa-ci.yml: Target Bullseye release.
+
+ -- Guilhem Moulin <guilhem@debian.org>  Fri, 18 Feb 2022 22:17:29 +0100
+
 php-crypt-gpg (1.6.4-2) unstable; urgency=medium
 
   * Require phpunit ≥8 in Build-Depends.
diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf php-crypt-gpg-1.6.4/debian/gbp.conf
--- php-crypt-gpg-1.6.4/debian/gbp.conf	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/gbp.conf	2022-02-18 22:17:29.000000000 +0100
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
 pristine-tar = True
 
 [import-orig]
diff -Nru php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch
--- php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch	1970-01-01 01:00:00.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/patches/Insert-the-end-of-options-marker-before-operation-argumen.patch	2022-02-18 22:17:29.000000000 +0100
@@ -0,0 +1,74 @@
+From: Thomas Chauchefoin <thomas.chauchefoin@sonarsource.com>
+Date: Thu, 10 Feb 2022 08:50:44 +0100
+Subject: Insert the end-of-options marker before operation arguments.
+
+This marker stops the parsing of additional options during external
+calls to GPG. This behavior is unintended but its security impact is
+dependent on the environment and the GPG version in use.
+---
+ Crypt_GPG-1.6.4/Crypt/GPG.php         | 8 ++++----
+ Crypt_GPG-1.6.4/Crypt/GPGAbstract.php | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Crypt_GPG-1.6.4/Crypt/GPG.php b/Crypt_GPG-1.6.4/Crypt/GPG.php
+index 87d2c8e..4c70833 100644
+--- a/Crypt_GPG-1.6.4/Crypt/GPG.php
++++ b/Crypt_GPG-1.6.4/Crypt/GPG.php
+@@ -457,7 +457,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+             );
+         }
+ 
+-        $operation = '--delete-key ' . escapeshellarg($fingerprint);
++        $operation = '--delete-key -- ' . escapeshellarg($fingerprint);
+         $arguments = array(
+             '--batch',
+             '--yes'
+@@ -507,7 +507,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+             );
+         }
+ 
+-        $operation = '--delete-secret-key ' . escapeshellarg($fingerprint);
++        $operation = '--delete-secret-key -- ' . escapeshellarg($fingerprint);
+         $arguments = array(
+             '--batch',
+             '--yes'
+@@ -585,7 +585,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+     public function getFingerprint($keyId, $format = self::FORMAT_NONE)
+     {
+         $output    = '';
+-        $operation = '--list-keys ' . escapeshellarg($keyId);
++        $operation = '--list-keys -- ' . escapeshellarg($keyId);
+         $arguments = array(
+             '--with-colons',
+             '--with-fingerprint'
+@@ -1584,7 +1584,7 @@ class Crypt_GPG extends Crypt_GPGAbstract
+ 
+         $keyData   = '';
+         $operation = $private ? '--export-secret-keys' : '--export';
+-        $operation .= ' ' . escapeshellarg($fingerprint);
++        $operation .= ' -- ' . escapeshellarg($fingerprint);
+         $arguments = $armor ? array('--armor') : array();
+ 
+         $this->engine->reset();
+diff --git a/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php b/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
+index 3dafe12..2c6b4b6 100644
+--- a/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
++++ b/Crypt_GPG-1.6.4/Crypt/GPGAbstract.php
+@@ -360,7 +360,7 @@ abstract class Crypt_GPGAbstract
+         if ($keyId == '') {
+             $operation = '--list-secret-keys';
+         } else {
+-            $operation = '--utf8-strings --list-secret-keys ' . escapeshellarg($keyId);
++            $operation = '--utf8-strings --list-secret-keys -- ' . escapeshellarg($keyId);
+         }
+ 
+         // According to The file 'doc/DETAILS' in the GnuPG distribution, using
+@@ -392,7 +392,7 @@ abstract class Crypt_GPGAbstract
+         if ($keyId == '') {
+             $operation = '--list-public-keys';
+         } else {
+-            $operation = '--utf8-strings --list-public-keys ' . escapeshellarg($keyId);
++            $operation = '--utf8-strings --list-public-keys -- ' . escapeshellarg($keyId);
+         }
+ 
+         $output = '';
diff -Nru php-crypt-gpg-1.6.4/debian/patches/series php-crypt-gpg-1.6.4/debian/patches/series
--- php-crypt-gpg-1.6.4/debian/patches/series	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/patches/series	2022-02-18 22:17:29.000000000 +0100
@@ -2,3 +2,4 @@
 Fix-FTBFS-with-phpunit-8.5.13-1.patch
 Fix-FTBFS-with-phpunit-9.5.0-1.patch
 Preemptively-fix-FTBFS-with-phpunit-10.patch
+Insert-the-end-of-options-marker-before-operation-argumen.patch
diff -Nru php-crypt-gpg-1.6.4/debian/salsa-ci.yml php-crypt-gpg-1.6.4/debian/salsa-ci.yml
--- php-crypt-gpg-1.6.4/debian/salsa-ci.yml	2021-01-07 16:05:51.000000000 +0100
+++ php-crypt-gpg-1.6.4/debian/salsa-ci.yml	2022-02-18 22:17:29.000000000 +0100
@@ -4,6 +4,7 @@
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
 
 variables:
+  RELEASE: 'bullseye'
   # dh_auto_test yields weird errors I cannot reproduce locally in a
   # clean chroot, so build under nocheck profile for now
   DEB_BUILD_OPTIONS: nocheck

Attachment: signature.asc
Description: PGP signature

Reply to: