GHSA-9rmp-2568-59rv

Suggest an improvement
Source
https://github.com/advisories/GHSA-9rmp-2568-59rv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-9rmp-2568-59rv/GHSA-9rmp-2568-59rv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9rmp-2568-59rv
Aliases
  • CVE-2024-53856
Published
2024-12-05T17:30:52Z
Modified
2024-12-05T19:05:47Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
rPGP Panics on Malformed Untrusted Input
Details

During a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.

Impact

When processing malformed input, rpgp can run into Rust panics which halt the program.

This can happen in the following scenarios: * Parsing OpenPGP messages from binary or armor format * Decrypting OpenPGP messages via decrypt_with_password() * Parsing or converting public keys * Parsing signed cleartext messages from armor format * Using malformed private keys to sign or encrypt

Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.

The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.

Versions and Patches

All recent versions are affected by at least some of the above mentioned issues.

The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.

References

The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.

Database specific 
{
    "nvd_published_at": "2024-12-05T16:15:26Z",
    "cwe_ids": [
        "CWE-130",
        "CWE-248",
        "CWE-617"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-05T17:30:52Z"
}
References

Affected packages

crates.io / pgp

Package

Name
pgp
View open source insights on deps.dev
Purl
pkg:cargo/pgp

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.1