RUSTSEC-2024-0345

See a problem?
Source
https://rustsec.org/advisories/RUSTSEC-2024-0345
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0345.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2024-0345
Published
2024-06-26T12:00:00Z
Modified
2024-06-27T12:08:11Z
Summary
Low severity (DoS) vulnerability in sequoia-openpgp
Details

There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.

The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.

Affected software

  • sequoia-openpgp 1.13.0
  • sequoia-openpgp 1.14.0
  • sequoia-openpgp 1.15.0
  • sequoia-openpgp 1.16.0
  • sequoia-openpgp 1.17.0
  • sequoia-openpgp 1.18.0
  • sequoia-openpgp 1.19.0
  • sequoia-openpgp 1.20.0
  • Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.
References

Affected packages

crates.io / sequoia-openpgp

Package

Name
sequoia-openpgp
View open source insights on deps.dev
Purl
pkg:cargo/sequoia-openpgp

Affected ranges

Type
SEMVER
Events
Introduced
1.13.0
Fixed
1.21.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "sequoia_openpgp::cert::raw::RawCertParser"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}