RA-2023-04-11: Security vulnerabilities fixed in RNP 0.16.3

11 Apr 2023

Metadata

ID: RA-2023-05-30

This advisory notice covers the following:

CVE-2023-29479
CVE-2023-29480

CVE-2023-29479

download as CVE JSON 5.0

Name: Hang when processing certain OpenPGP messages
Link: CVE-2023-29479
Problem: CWE-400 Uncontrolled Resource Consumption
Impact: CAPEC-607 Obstruction
Affected vendors: Ribose
Affected products: RNP, from versions 0.16.1 through 0.16.2

Vulnerability details

Certain malformed OpenPGP messages could trigger incorrect parsing of PKESK/SKESK packets causing the library to hang.

Additional details

Upgrading to RNP 0.16.3 fixes this issue.

Affected versions are used by Thunderbird up to version 102.9.1, which would cause the Thunderbird user interface to hang.

Credits

Ribose RNP Team (finder, reporter)
oss-fuzz (tool)

CVE-2023-29480

download as CVE JSON 5.0

Name: Secret keys remain unlocked after usage in certain cases
Link: CVE-2023-29480
Problem: CWE-922 Insecure Storage of Sensitive Information
Impact: CAPEC-37 Retrieve Embedded Sensitive Data
Affected vendors: Ribose
Affected products: RNP, from versions 0.16.1 through 0.16.2

Vulnerability details

In certain cases, some secret keys remain unlocked after usage, due to the premature destruction of an unnamed KeyLocker before it was able to re-lock keys.

Additional details

Upgrading to RNP 0.16.3 fixes this issue.

Credits

Falko Strenzke (@falko-strenzke) (reporter)

Ribose CNA

Ribose CNA

RA-2023-04-11: Security vulnerabilities fixed in RNP 0.16.3

Metadata

CVE-2023-29479

Vulnerability details

Additional details

Credits

CVE-2023-29480

Vulnerability details

Additional details

Credits