RUSTSEC-2024-0345: Low severity (DoS) vulnerability in sequoia-openpgp

[github-actions]

Low severity (DoS) vulnerability in sequoia-openpgp

Details
Package	sequoia-openpgp
Version	1.20.0
URL	https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106
Date	2024-06-26
Patched versions	>=1.21.0
Unaffected versions	<1.13.0

There is a denial-of-service vulnerability in sequoia-openpgp, our
crate providing a low-level interface to our OpenPGP implementation.
When triggered, the process will enter an infinite loop.

Many thanks to Andrew Gallagher for disclosing the issue to us.

Impact

Any software directly or indirectly using the interface
sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all
software using the sequoia_cert_store crate.

Details

The RawCertParser does not advance the input stream when
encountering unsupported cert (primary key) versions, resulting in an
infinite loop.

The fix introduces a new raw-cert-specific
cert::raw::Error::UnuspportedCert.

Affected software

• sequoia-openpgp 1.13.0
• sequoia-openpgp 1.14.0
• sequoia-openpgp 1.15.0
• sequoia-openpgp 1.16.0
• sequoia-openpgp 1.17.0
• sequoia-openpgp 1.18.0
• sequoia-openpgp 1.19.0
• sequoia-openpgp 1.20.0
• Any software built against a vulnerable version of sequoia-openpgp
  which is directly or indirectly using the interface
  sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes
  all software using the sequoia_cert_store crate.

See advisory page for additional details.