RA-2023-04-11: Security vulnerabilities fixed in RNP 0.16.3
Metadata
CVE-2023-29479
Vulnerability details
Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets causing the library to hang.
Additional details
Upgrading to RNP 0.16.3 fixes this issue.
Affected versions are used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user interface to hang.
Credits
-
Ribose RNP Team (finder, reporter)
-
oss-fuzz (tool)
CVE-2023-29480
Vulnerability details
In certain cases, some secret keys remain unlocked after usage, due to the premature destruction of an unnamed KeyLocker before it was able to re-lock keys.
Additional details
Upgrading to RNP 0.16.3 fixes this issue.
Credits
-
Falko Strenzke (@falko-strenzke) (reporter)