Hi everyone,
I'm pleased to announce the release of version 0.30.1 of Sequoia sq,
our general-purpose command-line tool for Sequoia PGP.
I have published sequoia-sq on crates.io:
https://crates.io/crates/sequoia-sq
You can also fetch version 0.30.1 using the v0.30.1 tag:
https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.30.1
which I signed:
$ git verify-tag v0.30.1
gpg: Signature made Wed May 31 10:58:07 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release of sq was primarily motivated by the recently fixed,
low-severity vulnerabilities in sequoia-openpgp, buffered-reader, and
sequoia-autocrypt. More information is available here:
https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.or…https://lists.sequoia-pgp.org/hyperkitty/list/announce@lists.sequoia-pgp.or…
All versions of sq are affected. We recommend upgrading to 0.30.1, or
ensuring that the dependencies are up to date and recompiling:
$ cd ../sequoia-sq
$ cargo update -p sequoia-openpgp
$ cargo update -p buffered-reader
$ cargo update -p sequoia-autocrypt
$ cargo build --release
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 7.3.0 of the nettle
crate.
Justus published nettle on crates.io:
https://crates.io/crates/nettle-rs
You can also fetch version 7.3.0 using the v7.3.0 tag:
https://gitlab.com/sequoia-pgp/nettle-rs/-/tags/v7.3.0
which he signed:
$ git verify-tag v7.3.0
gpg: Signature made Tue May 16 12:30:14 2023 +02:00
gpg: using RSA key 256A4E55E4A72D97AD2468E788DC7E33385F791D
gpg: Good signature from "Justus Winter <justus(a)sequoia-pgp.org>" [full]
gpg: "<teythoon(a)uber.space>"
gpg: "Justus Winter"
gpg: "Justus Winter <justus(a)gnupg.org>"
gpg: "Justus Winter <justus(a)pep.foundation>"
gpg: "Justus Winter <justuswinter(a)gmx.de>"
gpg: "Justus Winter <teythoon(a)avior.uberspace.de>"
This adds support for OCB.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 2.2.0 of the nettle-sys
crate.
Justus published nettle-sys on crates.io:
https://crates.io/crates/nettle-sys
You can also fetch version 2.2.0 using the v2.2.0 tag:
https://gitlab.com/sequoia-pgp/nettle-sys/-/tags/v2.2.0
which he signed:
$ git verify-tag v2.2.0
gpg: Signature made Tue May 16 10:47:23 2023 +02:00
gpg: using RSA key 256A4E55E4A72D97AD2468E788DC7E33385F791D
gpg: Good signature from "Justus Winter <justus(a)sequoia-pgp.org>" [full]
gpg: "<teythoon(a)uber.space>"
gpg: "Justus Winter"
gpg: "Justus Winter <justus(a)gnupg.org>"
gpg: "Justus Winter <justus(a)pep.foundation>"
gpg: "Justus Winter <justuswinter(a)gmx.de>"
gpg: "Justus Winter <teythoon(a)avior.uberspace.de>"
This adds support for OCB, which was added to Nettle version 3.9. And,
it fixes a bug when statically linking.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
sequoia-autocrypt contains a parser bug, which an attacker can exploit
to cause the library to panic.
sequoia-autocrypt incorrectly indexes a UTF-8 string using byte
indices instead of grapheme cluster indices. This subtlety is
discussed here:
https://doc.rust-lang.org/book/ch08-02-strings.html#slicing-strings
This bug can be exploited by an attacker to cause a program that uses
an affected version of sequoia-autocrypt to crash. The attacker is
not, however, able to read from or write to the process's address
space. Consequently, we have classified this issues as low severity.
The fix is:
- autocrypt: Account for multi-byte characters when parsing a string.
It was found by Alexander Kjäll (capitol) and patched by
Neal H. Walfield.
0.25.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c1894b180ef3fea4d066f1fad24…
This issue is fixed in sequoia-autocrypt 0.25.1, which I published on
crates.io:
https://crates.io/crates/sequoia-autocrypt
You can also fetch version 0.25.1 using the autocrypt/v0.25.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/autocrypt%2Fv0.25.1
which I signed:
$ git verify-tag autocrypt/v0.25.1
gpg: Signature made Mon May 22 11:15:33 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
sequoia-openpgp and buffered-reader contain several bugs, which an
attacker can exploit to cause the libraries to panic.
The bugs are all parsing errors. Attacker-controlled input can cause
different parsers to access an array using an out-of-range array
index. Because, Rust detects the use of out-of-range indices, and
panics, these bugs can be exploited by an attacker to cause a program
that uses an affected version of sequoia-openpgp or buffered-reader to
crash, but they are not able to read from or write to the process's
address space. Consequently, we have classified these issues as low
severity.
With one exception, the issues are all present in sequoia-openpgp and
buffered-reader since their initial 1.0 releases. We recommend
upgrading.
The errors are:
- buffered-reader: Fix returning partial reads ending in errors.
Found independently by Justus Winter and kpcyrd, patched by Justus
Winter.
1.2.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/f6307652fb2cbf4e0fbd3f897b1…
1.1.5: https://gitlab.com/sequoia-pgp/sequoia/-/commit/7507807dce6b87e7a1397a6414b…
1.0.2: https://gitlab.com/sequoia-pgp/sequoia/-/commit/4b02ccc1d1dcd5a105d4bb6fd32…
- openpgp: Fix crash in the packet parser.
Found independently by Paul Schaub (vanitasvitae) and Alexander
Kjäll (capitol), patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/b9badbdd2e9bd996fa6afd8187f…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/e6ea6cbe12598ec50a07af4bf19…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/17e7c8c5f5960ea05b68cbbbc27…
- openpgp: Fix a crash related to stray signatures.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/cce50ad4f3645011b5f8b473f6e…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c6cc5f4bfb6bfb55def8bce4ffe…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/789b0d0698d65b6372c563c36d7…
- openpgp: Fix a crash in the Cleartext Signature Framework.
This error was introduced in 1.11.0.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/586bde682c0525175c03f9eb847…
1.8.1: Not impacted.
1.1.1: Not impacted.
- openpgp: Fix a crash in the Cleartext Signature Framework.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c82beb9b30ec77b6edc291516bb…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/976695ea2be6b6772b41adb72aa…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/93b16c32e50b69962fef2380342…
- openpgp: Fix mapping of synthetic packets.
Found by Justus Winter, patched by Justus Winter.
1.16.0: https://gitlab.com/sequoia-pgp/sequoia/-/commit/b6388f0906315d2de7164bae36f…
1.8.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/da12da88fb9d27d11b0b347ab5a…
1.1.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/43532470f25d1df39f5ca704cd9…
The backstory of these issues is that the first issue was found by
Paul Schaub (vanitasvitae). Independently, Justus Winter, Alexander
Kjäll (capitol), and kpcyrd fuzzed the sequoia-openpgp library, and
discovered additional issues.
The sequoia-openpgp related issues are fixed in sequoia-openpgp
1.16.0, which I published on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch version 1.16.0 using the openpgp/v1.16.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.16.0
which I signed:
$ git verify-tag openpgp/v1.16.0
gpg: Signature made Tue May 16 12:46:41 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I've backported these fixes to 1.1.0, which is the version that is
shipped by Debian stable, and released it as version 1.1.1.
I've published version 1.1.1 on crates.io, and you can fetch it using
the openpgp/v1.1.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.1.1
which I signed:
$ git verify-tag openpgp/v1.1.1
gpg: Signature made Tue May 16 15:08:46 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I also backported these fixes to 1.8.0, which is the version that is
in Debian Testing, and will go into the next version of Debian Stable.
I released it as version 1.8.1
I've published version 1.8.1 on crates.io, and you can fetch it using
the openpgp/v1.8.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.8.1
which I signed:
$ git verify-tag openpgp/v1.8.1
gpg: Signature made Wed May 17 10:19:35 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
The buffered-reader related issue is fixed in buffered-reader 1.2.0,
which I published on crates.io:
https://crates.io/crates/buffered-reader
You can also fetch version 1.2.0 using the buffered-reader/v1.2.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.2.0
which I signed:
$ git verify-tag buffered-reader/v1.2.0
gpg: Signature made Wed May 17 13:34:13 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I also backported these fixes to 1.0.1, which is the version that is
in Debian Stable. I released it as version 1.0.2.
I've published version 1.0.2 on crates.io, and you can fetch it using
the buffered-reader/v1.0.2 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.0.2
which I signed:
$ git verify-tag buffered-reader/v1.0.2
gpg: Signature made Fri May 19 15:33:25 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
I also backported these fixes to 1.1.4, which is the version that is
in Debian Testing, and will go into the next version of Debian Stable.
I released it as version 1.1.5.
I've published version 1.1.5 on crates.io, and you can fetch it using
the buffered-reader/v1.1.5 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/buffered-reader/v1.1.5
which I signed:
$ git verify-tag buffered-reader/v1.1.5
gpg: Signature made Fri May 19 14:26:17 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.30.0 of Sequoia sq,
our general-purpose command-line tool for Sequoia PGP.
I have published sequoia-sq on crates.io:
https://crates.io/crates/sequoia-sq
You can also fetch version 0.30.0 using the v0.30.0 tag:
https://gitlab.com/sequoia-pgp/sequoia-sq/-/tags/v0.30.0
which I signed:
$ git verify-tag v0.30.0
gpg: Signature made Mon May 08 11:44:09 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
This release of sq was primarily motivated by an issue with `cargo
install sequoia-sq`. An indirect dependency released a new version of
their crate with a semver incompatible change, but didn't adjust the
version correctly. This release updates `sq`'s dependencies, which
fixes this issue. Details are here:
https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/2
`sq` now includes support for using pEp's certificate store. A pEp
certificate store can be used by specifying `sq --pep-cert-store PATH`
or setting the environment variable `PEP_CERT_STORE`.
https://gitea.pep.foundation/pEp.foundation/pEpEngine
This release also adds two improvements to `sq key adopt`. `sq key
adopt` now honors `--time`, and the new `--expire` flag can be used to
set the key's expiration time.
Neal on behalf of the whole Sequoia PGP team
Hi everyone,
I'm pleased to announce the release of version 0.2.7 of
sha1collisiondetection, our low-level library that implements SHA-1,
which also detects and foils known SHA-1 collision attacks.
I have published sha1collisiondetection on crates.io:
https://crates.io/crates/sha1collisiondetection
You can also fetch version 0.2.7 using the v0.2.7 tag:
https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/tags/v0.2.7
which I signed:
$ git verify-tag v0.2.7
gpg: Signature made Fri May 5 11:15:31 2023 CEST
gpg: using EDDSA key
E7E2B84A36457BEA3F43692DE68BE3B312FA33FC
gpg: issuer "wiktor(a)metacode.biz"
gpg: Good signature from "Wiktor Kwapisiewicz <wiktor(a)metacode.biz>"
There is one significant change in this release: we fixed the code that
incorrectly assumed that unaligned memory accesses are okay on x86 and
x86_64 [0]. The nightly version of the Rust compiler started checking
for this kind of issue recently [1][2] and because of that any code that
transitively depended on sha1collisiondetection (e.g. crates using
sequoia-openpgp) panicked when running tests.
The underlying issue [3] was reported to us by Sosthene from Nitrokey as
well as Kushal Das. Thank you!
Wiktor on behalf of the whole Sequoia PGP team
[0]:
https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/merge_requests/13
[1]:
https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/merge_requests/13
[2]: https://github.com/rust-lang/rust/pull/98112
[3]: https://gitlab.com/sequoia-pgp/sha1collisiondetection/-/issues/7
Hi everyone,
I'm pleased to announce the release of version 1.15.0 of
sequoia-openpgp, our low-level OpenPGP library.
I have published sequoia-openpgp on crates.io:
https://crates.io/crates/sequoia-openpgp
You can also fetch version 1.15.0 using the openpgp/v1.15.0 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/openpgp/v1.15.0
which I signed:
$ git verify-tag openpgp/v1.15.0
gpg: Signature made Fri May 05 16:57:20 2023 +02:00
gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528
gpg: Good signature from "Neal H. Walfield <neal(a)walfield.org>" [ultimate]
gpg: "Neal H. Walfield <neal(a)g10code.com>"
gpg: "Neal H. Walfield <neal(a)gnupg.org>"
gpg: "Neal H. Walfield <neal(a)pep-project.org>"
gpg: "Neal H. Walfield <neal(a)pep.foundation>"
gpg: "Neal H. Walfield <neal(a)sequoia-pgp.org>"
There are two notable changes in this release: the Windows CNG, and
the Rust Crypto backends have been updated to use their latest
versions. When using the Rust Crypto backend, this increases
sequoia-openpgp's MSRV to 1.65.0. Otherwise, sequoia-openpgp's MSRV
remain 1.60.0.
This release also includes a number of bug fixes and several
performance improvements.
Neal on behalf of the whole Sequoia PGP team