RUSTSEC-2024-0345
- Source
- https://rustsec.org/advisories/RUSTSEC-2024-0345
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0345.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2024-0345
- Published
- 2024-06-26T12:00:00Z
- Modified
- 2024-06-27T12:08:11Z
- Summary
- Low severity (DoS) vulnerability in sequoia-openpgp
- Details
-
There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.
Many thanks to Andrew Gallagher for disclosing the issue to us.
Impact
Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using thesequoia_cert_storecrate.Details
The
RawCertParserdoes not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.Affected software
- sequoia-openpgp 1.13.0
- sequoia-openpgp 1.14.0
- sequoia-openpgp 1.15.0
- sequoia-openpgp 1.16.0
- sequoia-openpgp 1.17.0
- sequoia-openpgp 1.18.0
- sequoia-openpgp 1.19.0
- sequoia-openpgp 1.20.0
- Any software built against a vulnerable version of sequoia-openpgp
which is directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using thesequoia_cert_storecrate.
- Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / sequoia-openpgp
Package
- Name
- sequoia-openpgp
- View open source insights on deps.dev
- Purl
- pkg:cargo/sequoia-openpgp