CVE-2024-58261
LOW2.9EPSS 0.08%Low severity (DoS) vulnerability in sequoia-openpgp
Description
There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop. Many thanks to Andrew Gallagher for disclosing the issue to us. ## Impact Any software directly or indirectly using the interface `sequoia_openpgp::cert::raw::RawCertParser`. Notably, this includes all software using the `sequoia_cert_store` crate. ## Details The `RawCertParser` does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop. The fix introduces a new raw-cert-specific `cert::raw::Error::UnuspportedCert`. ## Affected software - sequoia-openpgp 1.13.0 - sequoia-openpgp 1.14.0 - sequoia-openpgp 1.15.0 - sequoia-openpgp 1.16.0 - sequoia-openpgp 1.17.0 - sequoia-openpgp 1.18.0 - sequoia-openpgp 1.19.0 - sequoia-openpgp 1.20.0 - Any software built against a vulnerable version of sequoia-openpgp which is directly or indirectly using the interface `sequoia_openpgp::cert::raw::RawCertParser`. Notably, this includes all software using the `sequoia_cert_store` crate.
Affected packages (3)
- crates.io/sequoia-openpgp>= 1.13.0, < 1.21.0
- crates.io/sequoia-openpgp>= 1.13.0, < 1.21.0
- Debian/rust-sequoia-openpgpfrom 0, < 1.21.0-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.9 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-58261
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-58261
- PATCHhttps://crates.io/crates/sequoia-openpgp
- PATCHhttps://gitlab.com/sequoia-pgp/sequoia
- WEBhttps://gitlab.com/sequoia-pgp/sequoia/-/issues/1106
- WEBhttps://rustsec.org/advisories/RUSTSEC-2024-0345.html