CVE-2023-29479: 
NixOS vulnerability analysis and mitigation

Ribose RNP before version 0.16.3 contains a vulnerability where malformed input can cause the application to hang. The vulnerability was discovered by the Ribose RNP Team using Google's oss-fuzz tool and was disclosed on April 11, 2023. This issue affects RNP versions from 0.16.1 through 0.16.2, and notably impacts Thunderbird versions up to 102.9.1 (Mozilla Advisory, Ribose Advisory).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 5.3 (Medium). The issue occurs when processing certain OpenPGP messages that trigger incorrect parsing of PKESK/SKESK packets. The vulnerability has an attack vector of Network (N), low attack complexity (L), requires no privileges (N), and no user interaction (UI). The scope is unchanged (U), with no impact on confidentiality (N) or integrity (N), but does affect availability (L) (NVD).

When exploited, this vulnerability causes the application to enter an unresponsive state, potentially leading to a denial of service condition. In Thunderbird specifically, the vulnerability causes the user interface to hang when processing affected OpenPGP messages (Mozilla Advisory, Ribose Advisory).

The vulnerability has been fixed in RNP version 0.16.3, which implements proper input validation and adds safeguards against malformed data. Users are advised to upgrade to RNP 0.16.3 or later to address this security issue. For Thunderbird users, the fix has been included in version 102.10 (RNP Release).