Reported

May 16, 2023

Issued

May 31, 2023 (last modified: June 13, 2023)

Package

sequoia-openpgp (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#panic

Aliases

• GHSA-25mx-8f3v-8wh7

References

• https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.org/thread/SN2E3QRT4DMQ5JNEK6VIN6DJ5SH766DI/
• https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp%2Fv1.16.0

Patched

• >=1.1.1, <1.2.0
• >=1.8.1, <1.9.0
• >=1.16.0

Description

Affected versions of the crate have several bugs where attacker-controlled input can result in the use of an out-of-bound array index. Rust detects the use of the out-of-bound index and causes the application to panic. An attacker may be able to use this to cause a denial-of-service. However, it is not possible for an attacker to read from or write to the application's address space.

Advisory available under CC0-1.0 license.