Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05cm1wLTI1NjgtNTlyds4ABCFP

rPGP Panics on Malformed Untrusted Input

During a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.

Impact

When processing malformed input, rpgp can run into Rust panics which halt the program.

This can happen in the following scenarios:

Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.

The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.

Versions and Patches

All recent versions are affected by at least some of the above mentioned issues.

The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.

References

The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.

Permalink: https://github.com/advisories/GHSA-9rmp-2568-59rv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cm1wLTI1NjgtNTlyds4ABCFP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 13 days ago
Updated: 12 days ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.00043
EPSS Percentile: 0.10595

Identifiers: GHSA-9rmp-2568-59rv, CVE-2024-53856
References: Repository: https://github.com/rpgp/rpgp
Blast Radius: 17.7

Affected Packages

cargo:pgp
Dependent packages: 27
Dependent repositories: 228
Downloads: 1,089,854 total
Affected Version Ranges: < 0.14.1
Fixed in: 0.14.1
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.13.0, 0.13.1, 0.13.2, 0.14.0
All unaffected versions: 0.14.1, 0.14.2