Bug 1212253 (CVE-2023-29479)

Summary:	VUL-0: CVE-2023-29479: rnp: hang when the input is malformed
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Andreas Stieger <Andreas.Stieger>
Component:	Security	Assignee:	Andreas Stieger <Andreas.Stieger>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2023-06-12 17:23:36 UTC

Ribose RNP before 0.16.3 may hang when the input is malformed.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29479
https://www.rnpgp.org/blog/2023-04-13-rnp-release-0-16-3/
https://cve.ribose.com/advisories/ra-2023-04-11/
https://github.com/advisories/GHSA-rr9h-qqwq-gm72

Comment 1 Andreas Stieger 2023-06-12 17:29:09 UTC

https://build.opensuse.org/request/show/1092656

Comment 2 Andreas Stieger 2023-06-12 21:25:27 UTC

Note that CVE-2023-29479 was first recorded to affect rnp as bundled in Mozilla Thunderbird. Advisory MFSA 2023-15, See bug 1210212 for that update.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#CVE-2023-29479
See bug 1212259 for report about rnp being bundled in MozillaThunderbird.