You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.
Many thanks to Andrew Gallagher for disclosing the issue to us.
Impact
Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.
Details
The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.
The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert.
Affected software
sequoia-openpgp 1.13.0
sequoia-openpgp 1.14.0
sequoia-openpgp 1.15.0
sequoia-openpgp 1.16.0
sequoia-openpgp 1.17.0
sequoia-openpgp 1.18.0
sequoia-openpgp 1.19.0
sequoia-openpgp 1.20.0
Any software built against a vulnerable version of sequoia-openpgp
which is directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes
all software using the sequoia_cert_store crate.
sequoia-openpgp
1.20.0
>=1.21.0
<1.13.0
There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.
Many thanks to Andrew Gallagher for disclosing the issue to us.
Impact
Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser
. Notably, this includes allsoftware using the
sequoia_cert_store
crate.Details
The
RawCertParser
does not advance the input stream whenencountering unsupported cert (primary key) versions, resulting in an
infinite loop.
The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert
.Affected software
which is directly or indirectly using the interface
sequoia_
openpgp::cert::raw::RawCertParser
. Notably, this includesall software using the
sequoia_cert_store
crate.See advisory page for additional details.
The text was updated successfully, but these errors were encountered: