1212253 – (CVE-2023-29479) VUL-0: CVE-2023-29479: rnp: hang when the input is malformed

Bug 1212253 (CVE-2023-29479) - VUL-0: CVE-2023-29479: rnp: hang when the input is malformed

Summary: VUL-0: CVE-2023-29479: rnp: hang when the input is malformed

Status:	RESOLVED FIXED

Alias:	CVE-2023-29479

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Andreas Stieger
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-12 17:23 UTC by Andreas Stieger
Modified:	2023-06-12 21:25 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2023-06-12 17:23:36 UTC

Ribose RNP before 0.16.3 may hang when the input is malformed.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29479
https://www.rnpgp.org/blog/2023-04-13-rnp-release-0-16-3/
https://cve.ribose.com/advisories/ra-2023-04-11/
https://github.com/advisories/GHSA-rr9h-qqwq-gm72

Comment 1 Andreas Stieger 2023-06-12 17:29:09 UTC

https://build.opensuse.org/request/show/1092656

Comment 2 Andreas Stieger 2023-06-12 21:25:27 UTC

Note that CVE-2023-29479 was first recorded to affect rnp as bundled in Mozilla Thunderbird. Advisory MFSA 2023-15, See bug 1210212 for that update.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#CVE-2023-29479
See bug 1212259 for report about rnp being bundled in MozillaThunderbird.