CVE-2024-53857: 
Rust vulnerability analysis and mitigation

rPGP, a pure Rust implementation of OpenPGP, was found to contain a resource exhaustion vulnerability prior to version 0.14.1. The vulnerability allows attackers to trigger resource exhaustion by providing crafted messages, affecting general message parsing and decryption with symmetric keys (GitHub Advisory, NVD).

The vulnerability stems from two main issues: First, the software fails to set proper upper limits on the total reserved amount of memory when parsing long sequences of partial OpenPGP packets, which can grow to several GiB in size. Second, up to 4GiB of memory can be reserved for OpenPGP packets of fixed size with large length fields, even when less data is received. Additionally, the software is susceptible to excessive memory allocation with values of up to 2TiB or long processing times for decryption operations involving the Argon2 function. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

An attacker can cause out-of-memory conditions and crash the rpgp process or cause other system instability through memory resource exhaustion when parsing crafted messages. For decryption operations, attackers can provide valid Symmetric Key Encrypted Session Key packets using Argon2 with excessive parameters, causing either out-of-memory conditions or making the program unresponsive via long computations. The attacker needs to trick a victim into attempting decryption but does not require knowledge of the symmetric secret. There is no impact to confidentiality or integrity security properties (GitHub Advisory).

The vulnerabilities have been fixed in version 0.14.2. All users are recommended to upgrade to this version to address both the message parsing and Argon2-related vulnerabilities (GitHub Advisory).