Hi everyone,
sequoia-autocrypt contains a parser bug, which an attacker can exploit to cause the library to panic.
sequoia-autocrypt incorrectly indexes a UTF-8 string using byte indices instead of grapheme cluster indices. This subtlety is discussed here:
https://doc.rust-lang.org/book/ch08-02-strings.html#slicing-strings
This bug can be exploited by an attacker to cause a program that uses an affected version of sequoia-autocrypt to crash. The attacker is not, however, able to read from or write to the process's address space. Consequently, we have classified this issues as low severity.
The fix is:
- autocrypt: Account for multi-byte characters when parsing a string.
It was found by Alexander Kjäll (capitol) and patched by Neal H. Walfield.
0.25.1: https://gitlab.com/sequoia-pgp/sequoia/-/commit/c1894b180ef3fea4d066f1fad242...
This issue is fixed in sequoia-autocrypt 0.25.1, which I published on crates.io:
https://crates.io/crates/sequoia-autocrypt
You can also fetch version 0.25.1 using the autocrypt/v0.25.1 tag:
https://gitlab.com/sequoia-pgp/sequoia/-/tags/autocrypt%2Fv0.25.1
which I signed:
$ git verify-tag autocrypt/v0.25.1 gpg: Signature made Mon May 22 11:15:33 2023 +02:00 gpg: using RSA key C03FA6411B03AE12576461187223B56678E02528 gpg: Good signature from "Neal H. Walfield neal@walfield.org" [ultimate] gpg: "Neal H. Walfield neal@gnupg.org" gpg: "Neal H. Walfield neal@pep-project.org" gpg: "Neal H. Walfield neal@pep.foundation" gpg: "Neal H. Walfield neal@sequoia-pgp.org"
Neal on behalf of the whole Sequoia PGP team
announce@lists.sequoia-pgp.org