CVE-2024-53857

Publication date 5 December 2024

Last updated 11 December 2024

Ubuntu priority

rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-pgp	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

How can I get the fixes?
What do statuses mean?

Notes

rodrigo-zaiden

rust-pgp is coming for Plucky (as of 2024-12-06 it is on proposed), for now it is marked as DNE, but shouldn't retire it yet. it will probably move to not-affected as the version in proposed is 0.14.2-2

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-53857
https://github.com/rpgp/rpgp/security/advisories/GHSA-4grw-m28r-q285