Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05MzQ0LXA4NDctcW01Y84AA9Xy

Low severity (DoS) vulnerability in sequoia-openpgp

There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.

The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.

Affected software

Permalink: https://github.com/advisories/GHSA-9344-p847-qm5c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05MzQ0LXA4NDctcW01Y84AA9Xy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 21 days ago
Updated: 21 days ago


Identifiers: GHSA-9344-p847-qm5c
References: Repository: https://gitlab.com/sequoia-pgp/sequoia
Blast Radius: 0.0

Affected Packages

cargo:sequoia-openpgp
Dependent packages: 63
Dependent repositories: 79
Downloads: 353,710 total
Affected Version Ranges: >= 1.13.0, < 1.21.0
Fixed in: 1.21.0
All affected versions: 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.17.0, 1.18.0, 1.19.0, 1.20.0
All unaffected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 1.0.0, 1.1.0, 1.1.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.21.0, 1.21.1, 1.21.2