See https://rustsec.org/advisories/RUSTSEC-2024-0345.html. """ Description There is a denial-of-service vulnerability in sequoia-openpgp, our crate providing a low-level interface to our OpenPGP implementation. When triggered, the process will enter an infinite loop. Many thanks to Andrew Gallagher for disclosing the issue to us. Impact Any software directly or indirectly using the interface sequoia_openpgp::cert::raw::RawCertParser. Notably, this includes all software using the sequoia_cert_store crate. Details The RawCertParser does not advance the input stream when encountering unsupported cert (primary key) versions, resulting in an infinite loop. The fix introduces a new raw-cert-specific cert::raw::Error::UnuspportedCert. """ They only seem to have issued a new release for this package so I guess the other sq suite pkgs are fine.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea095ceae6c4019401707f2255f33b1b0493ebb1 commit ea095ceae6c4019401707f2255f33b1b0493ebb1 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-07-03 04:30:40 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-07-03 04:30:40 +0000 app-crypt/sequoia-chameleon-gnupg: add 0.10.1 Bug: https://bugs.gentoo.org/935384 Signed-off-by: Sam James <sam@gentoo.org> app-crypt/sequoia-chameleon-gnupg/Manifest | 26 ++ .../sequoia-chameleon-gnupg-0.10.1.ebuild | 445 +++++++++++++++++++++ 2 files changed, 471 insertions(+)
Can we cleanup?
