RUSTSEC-2024-0447
During a security audit, Radically Open Security discovered
several reachable edge cases which allow an attacker to
trigger rpgp crashes by providing crafted data.
Impact
When processing malformed input, rpgp can run into Rust panics which halt
the program.
This can happen in the following scenarios:
- Parsing OpenPGP messages from binary or armor format
- Decrypting OpenPGP messages via decryptwithpassword()
- Parsing or converting public keys
- Parsing signed cleartext messages from armor format
- Using malformed private keys to sign or encrypt
Given the affected components, we consider most attack vectors to be
reachable by remote attackers during typical use cases of the rpgp
library. The attack complexity is low since the malformed messages
are generic, short, and require no victim-specific knowledge.
The result is a denial-of-service impact via program termination.
There is no impact to confidentiality or integrity security properties.
Versions and Patches
All recent versions are affected by at least some of the above mentioned
issues.
The vulnerabilities have been fixed with version 0.14.1. We recommend
all users to upgrade to this version.
References
The security audit was made possible by the NLnet Foundation
NGI Zero Core grant program for rpgp.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://crates.io/crates/pgp, https://rustsec.org/advisories/RUSTSEC-2024-0447.html, https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv, https://github.com/radicallyopensecurity/ros-website/blob/8169b16fc138a0b0dde14dd0e222d1279701b4d3/ros-public-reports/ROS%20-%20NLNet%20-%20rPGP%20-%202024.pdf
Basic Information
