From e58718ac848c53b7965d9ab8cc94eaf60378d590 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= Date: Wed, 24 Dec 2025 10:18:53 +0100 Subject: [PATCH] pgp: Add information about CVE-2024-53856 --- crates/pgp/RUSTSEC-0000-0000.md | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 crates/pgp/RUSTSEC-0000-0000.md diff --git a/crates/pgp/RUSTSEC-0000-0000.md b/crates/pgp/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..cccd0583c --- /dev/null +++ b/crates/pgp/RUSTSEC-0000-0000.md @@ -0,0 +1,55 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "pgp" +date = "2024-12-05" +url = "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv" +references = ["https://github.com/radicallyopensecurity/ros-website/blob/8169b16fc138a0b0dde14dd0e222d1279701b4d3/ros-public-reports/ROS%20-%20NLNet%20-%20rPGP%20-%202024.pdf"] +categories = ["denial-of-service"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +aliases = ["CVE-2024-53856","GHSA-9rmp-2568-59rv"] +license = "CC-BY-4.0" + +[versions] +patched = [">= 0.14.1"] +``` + +# Panics on Malformed Untrusted Input + +During a security audit, Radically Open Security discovered +several reachable edge cases which allow an attacker to +trigger rpgp crashes by providing crafted data. + +## Impact + +When processing malformed input, rpgp can run into Rust panics which halt +the program. + +This can happen in the following scenarios: + + * Parsing OpenPGP messages from binary or armor format + * Decrypting OpenPGP messages via decrypt_with_password() + * Parsing or converting public keys + * Parsing signed cleartext messages from armor format + * Using malformed private keys to sign or encrypt + +Given the affected components, we consider most attack vectors to be +reachable by remote attackers during typical use cases of the rpgp +library. The attack complexity is low since the malformed messages +are generic, short, and require no victim-specific knowledge. + +The result is a denial-of-service impact via program termination. +There is no impact to confidentiality or integrity security properties. + +## Versions and Patches + +All recent versions are affected by at least some of the above mentioned +issues. + +The vulnerabilities have been fixed with version 0.14.1. We recommend +all users to upgrade to this version. + +## References + +The security audit was made possible by the NLnet Foundation +NGI Zero Core grant program for rpgp.