Sequoia OpenPGP Raw CertParser Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Sequoia OpenPGP crate versions 1.13.0 prior to 1.21.0. This vulnerability allows for an infinite loop to occur when the RawCertParser encounters an unsupported primary key type. The issue arises because the parser does not advance the input stream when it encounters unsupported certificate versions, leading to repeated error messages about invalid key packets.

Impact

Exploitation of this vulnerability causes an infinite loop, effectively halting the process. This issue affects any software that uses the Sequoia OpenPGP crate version 1.13.0 through 1.20.0, particularly those that rely on the Sequoia Cert Store crate.

Reproduction

The vulnerability can be reproduced by using the Sequoia OpenPGP RawCertParser on a key file that contains OpenPGP version 3 keys with unsupported primary key types. This can be done by running the Sequoia debugging tool 'utf8-status' on a historical key dump that includes such keys.

Remediation

Users can upgrade to Sequoia OpenPGP version 1.21.0 or later to address this vulnerability.