According to the posting in oss-security :
An issue was discovered in password-store.sh in pass in
Simple Password Store 1.7 through 1.7.1. The signature verification
routine parses the output of GnuPG with an incomplete regular
expression, which allows remote attackers to spoof file signatures on
configuration files and extensions scripts. Modifying the configuration
file allows the attacker to inject additional encryption keys under
their control, thereby disclosing passwords to the attacker. Modifying
the extension scripts allows the attacker arbitrary code execution.
Upstream has released version 1.7.2, which presumably addresses this flaw (although I have not checked). Please make it available in gentoo.
Taken care of in 1.7.2 which already hit the tree and is stable keyworded.
yes, it should be fixed in 1.7.2, here is upstream announcement
Thanks for reporting!