Hi, is there a reason the updated packages aren't in debian-security yet?
On Debian 13, apt usually uses sqv for package verification so it's less exposed there but on Debian 12 this might be reachable when verifying the signature of a repo. When apt calls gpgv to verify an InRelease file the de-armor code is certainly involed, but I haven't stared on the code long enough yet to come up with an PoC like the one for `gpg --deamor poc` from the original report [1]. Simon [1]: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=4ecc5122f20e10c17172ed72f4fa46c784b5fb48
