Low severity (DoS) vulnerability in sequoia-openpgp

2024-06-2619:10:15

CWE-835

GitHub Advisory Database

github.com

denial of service

vulnerability

sequoia-openpgp

low severity

infinite loop

disclosure

rawcertparser

affected software

version

AI Score

7.1

Confidence

High

JSON

There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.

The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.

Affected software

sequoia-openpgp 1.13.0
sequoia-openpgp 1.14.0
sequoia-openpgp 1.15.0
sequoia-openpgp 1.16.0
sequoia-openpgp 1.17.0
sequoia-openpgp 1.18.0
sequoia-openpgp 1.19.0
sequoia-openpgp 1.20.0
Any software built against a vulnerable version of sequoia-openpgp
which is directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes
all software using the sequoia_cert_store crate.

Affected configurations

Vulners

Node

openpgpsequoia-openpgpRange1.13.0–1.21.0

VendorProductVersionCPE
openpgpsequoia-openpgp*cpe:2.3:a:openpgp:sequoia-openpgp:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openpgp	sequoia-openpgp	*	cpe:2.3:a:openpgp:sequoia-openpgp::::::::

References

github.com/advisories/GHSA-9344-p847-qm5c

gitlab.com/sequoia-pgp/sequoia/-/issues/1106

rustsec.org/advisories/RUSTSEC-2024-0345.html

AI Score

7.1

Confidence

High

JSON