RA-2023-04-11: Security vulnerabilities fixed in RNP 0.16.3

11 Apr 2023

Metadata

ID

RA-2023-05-30

This advisory notice covers the following:

• CVE-2023-29479

• CVE-2023-29480

CVE-2023-29479

download as CVE JSON 5.0

Name

Hang when processing certain OpenPGP messages

Link

CVE-2023-29479

Problem

CWE-400 Uncontrolled Resource Consumption

Impact

CAPEC-607 Obstruction

Affected vendors

Ribose

Affected products

RNP, from versions 0.16.1 through 0.16.2

Vulnerability details

Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets causing the library to hang.

Additional details

Upgrading to RNP 0.16.3 fixes this issue.

Affected versions are used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user interface to hang.

Credits

• Ribose RNP Team (finder, reporter)

• oss-fuzz (tool)

CVE-2023-29480

download as CVE JSON 5.0

Name

Secret keys remain unlocked after usage in certain cases

Link

CVE-2023-29480

Problem

CWE-922 Insecure Storage of Sensitive Information

Impact

CAPEC-37 Retrieve Embedded Sensitive Data

Affected vendors

Ribose

Affected products

RNP, from versions 0.16.1 through 0.16.2

Vulnerability details

In certain cases, some secret keys remain unlocked after usage, due to the premature destruction of an unnamed KeyLocker before it was able to re-lock keys.

Additional details

Upgrading to RNP 0.16.3 fixes this issue.

Credits

• Falko Strenzke (@falko-strenzke) (reporter)