{"id":"RUSTSEC-2024-0345","summary":"Low severity (DoS) vulnerability in sequoia-openpgp","details":"There is a denial-of-service vulnerability in sequoia-openpgp, our\ncrate providing a low-level interface to our OpenPGP implementation.\nWhen triggered, the process will enter an infinite loop.\n\nMany thanks to Andrew Gallagher for disclosing the issue to us.\n\n## Impact\n\nAny software directly or indirectly using the interface\n`sequoia_openpgp::cert::raw::RawCertParser`.  Notably, this includes all\nsoftware using the `sequoia_cert_store` crate.\n\n## Details\n\nThe `RawCertParser` does not advance the input stream when\nencountering unsupported cert (primary key) versions, resulting in an\ninfinite loop.\n\nThe fix introduces a new raw-cert-specific\n`cert::raw::Error::UnuspportedCert`.\n\n## Affected software\n\n- sequoia-openpgp 1.13.0\n- sequoia-openpgp 1.14.0\n- sequoia-openpgp 1.15.0\n- sequoia-openpgp 1.16.0\n- sequoia-openpgp 1.17.0\n- sequoia-openpgp 1.18.0\n- sequoia-openpgp 1.19.0\n- sequoia-openpgp 1.20.0\n- Any software built against a vulnerable version of sequoia-openpgp\n  which is directly or indirectly using the interface\n  `sequoia_openpgp::cert::raw::RawCertParser`.  Notably, this includes\n  all software using the `sequoia_cert_store` crate.","aliases":["CVE-2024-58261","GHSA-9344-p847-qm5c"],"modified":"2025-10-28T06:29:08.241169Z","published":"2024-06-26T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/sequoia-openpgp"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0345.html"},{"type":"REPORT","url":"https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106"}],"affected":[{"package":{"name":"sequoia-openpgp","ecosystem":"crates.io","purl":"pkg:cargo/sequoia-openpgp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.13.0"},{"fixed":"1.21.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":["sequoia_openpgp::cert::raw::RawCertParser"]}},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0345.json","informational":null,"categories":["denial-of-service"]}}],"schema_version":"1.7.3"}