HistoryEditJSON (OSV)

RUSTSEC-2024-0345

Low severity (DoS) vulnerability in sequoia-openpgp

Reported
Issued
Package
sequoia-openpgp (crates.io)
Type
Vulnerability
Categories
Keywords
#infinite-loop
References
Patched
  • >=1.21.0
Unaffected
  • <1.13.0
Affected Functions
Version
sequoia_openpgp::cert::raw::RawCertParser
  • >=1.13.0, <1.21.0

Description

There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop.

The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.

Affected software

Advisory available under CC0-1.0 license.