Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9344-p847-qm5c: Low severity (DoS) vulnerability in sequoia-openpgp

There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.

The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.

Affected software

  • sequoia-openpgp 1.13.0
  • sequoia-openpgp 1.14.0
  • sequoia-openpgp 1.15.0
  • sequoia-openpgp 1.16.0
  • sequoia-openpgp 1.17.0
  • sequoia-openpgp 1.18.0
  • sequoia-openpgp 1.19.0
  • sequoia-openpgp 1.20.0
  • Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.
ghsa
#vulnerability#dos#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-9344-p847-qm5c

Low severity (DoS) vulnerability in sequoia-openpgp

Low severity GitHub Reviewed Published Jun 26, 2024 to the GitHub Advisory Database • Updated Jun 26, 2024

Package

cargo sequoia-openpgp (Rust)

Affected versions

>= 1.13.0, < 1.21.0

There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.

The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.

Affected software

  • sequoia-openpgp 1.13.0
  • sequoia-openpgp 1.14.0
  • sequoia-openpgp 1.15.0
  • sequoia-openpgp 1.16.0
  • sequoia-openpgp 1.17.0
  • sequoia-openpgp 1.18.0
  • sequoia-openpgp 1.19.0
  • sequoia-openpgp 1.20.0
  • Any software built against a vulnerable version of sequoia-openpgp
    which is directly or indirectly using the interface
    sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes
    all software using the sequoia_cert_store crate.

References

  • https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106
  • https://rustsec.org/advisories/RUSTSEC-2024-0345.html

Published to the GitHub Advisory Database

Jun 26, 2024

Last updated

Jun 26, 2024

ghsa: Latest News

GHSA-gppm-hq3p-h4rp: Git credentials are exposed in Atlantis logs