Headline
GHSA-9344-p847-qm5c: Low severity (DoS) vulnerability in sequoia-openpgp
There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.
Many thanks to Andrew Gallagher for disclosing the issue to us.
Impact
Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser
. Notably, this includes all
software using the sequoia_cert_store
crate.
Details
The RawCertParser
does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.
The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert
.
Affected software
- sequoia-openpgp 1.13.0
- sequoia-openpgp 1.14.0
- sequoia-openpgp 1.15.0
- sequoia-openpgp 1.16.0
- sequoia-openpgp 1.17.0
- sequoia-openpgp 1.18.0
- sequoia-openpgp 1.19.0
- sequoia-openpgp 1.20.0
- Any software built against a vulnerable version of sequoia-openpgp
which is directly or indirectly using the interface
sequoia_
openpgp::cert::raw::RawCertParser
. Notably, this includes all software using thesequoia_cert_store
crate.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-9344-p847-qm5c
Low severity (DoS) vulnerability in sequoia-openpgp
Low severity GitHub Reviewed Published Jun 26, 2024 to the GitHub Advisory Database • Updated Jun 26, 2024
Package
cargo sequoia-openpgp (Rust)
Affected versions
>= 1.13.0, < 1.21.0
There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.
Many thanks to Andrew Gallagher for disclosing the issue to us.
Impact
Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.
Details
The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.
The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.
Affected software
- sequoia-openpgp 1.13.0
- sequoia-openpgp 1.14.0
- sequoia-openpgp 1.15.0
- sequoia-openpgp 1.16.0
- sequoia-openpgp 1.17.0
- sequoia-openpgp 1.18.0
- sequoia-openpgp 1.19.0
- sequoia-openpgp 1.20.0
- Any software built against a vulnerable version of sequoia-openpgp
which is directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes
all software using the sequoia_cert_store crate.
References
- https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106
- https://rustsec.org/advisories/RUSTSEC-2024-0345.html
Published to the GitHub Advisory Database
Jun 26, 2024
Last updated
Jun 26, 2024