CVE-2024-58261: 
Rust vulnerability analysis and mitigation

The sequoia-openpgp crate versions 1.13.0 through 1.21.0 for Rust contains a vulnerability that allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages when RawCertParser operations encounter an unsupported primary key type (RUSTSEC Advisory, NVD). The vulnerability was discovered and disclosed on June 26, 2024.

The vulnerability stems from a flaw in the RawCertParser implementation where it fails to advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop. The issue has been assigned CWE-835 (Loop with Unreachable Exit Condition). The vulnerability has received varying CVSS scores: NIST assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while MITRE assigned a score of 2.9 (LOW) with vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability affects any software directly or indirectly using the sequoiaopenpgp::cert::raw::RawCertParser interface, notably including all software using the sequoiacert_store crate. When triggered, the process will enter an infinite loop, leading to a denial-of-service condition (RUSTSEC Advisory).

The vulnerability has been fixed in version 1.21.0 of sequoia-openpgp, which introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert to properly handle unsupported certificate versions. Users are advised to upgrade to version 1.21.0 or later. Systems using versions prior to 1.13.0 are not affected by this vulnerability (RUSTSEC Advisory).