Skip to content

Low severity (DoS) vulnerability in sequoia-openpgp

Low severity GitHub Reviewed Published Jun 26, 2024 to the GitHub Advisory Database • Updated Jun 26, 2024

Package

cargo sequoia-openpgp (Rust)

Affected versions

>= 1.13.0, < 1.21.0

Patched versions

1.21.0

Description

There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.

The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.

Affected software

  • sequoia-openpgp 1.13.0
  • sequoia-openpgp 1.14.0
  • sequoia-openpgp 1.15.0
  • sequoia-openpgp 1.16.0
  • sequoia-openpgp 1.17.0
  • sequoia-openpgp 1.18.0
  • sequoia-openpgp 1.19.0
  • sequoia-openpgp 1.20.0
  • Any software built against a vulnerable version of sequoia-openpgp
    which is directly or indirectly using the interface
    sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes
    all software using the sequoia_cert_store crate.

References

Published to the GitHub Advisory Database Jun 26, 2024
Reviewed Jun 26, 2024
Last updated Jun 26, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-9344-p847-qm5c
This advisory has been edited. See History.
See something to contribute? Suggest improvements for this vulnerability.