This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
rpm(22 total, 6 outdated, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| bitflags | ^2 | 2.11.0 | up to date |
| bzip2 | ^0.4.4 | 0.6.1 | out of date |
| chrono ⚠️ | ^0.4 | 0.4.44 | maybe insecure |
| cpio | ^0.4 | 0.4.1 | up to date |
| digest | ^0.10 | 0.11.2 | out of date |
| enum-display-derive | ^0.1 | 0.1.1 | up to date |
| enum-primitive-derive | ^0.3 | 0.3.0 | up to date |
| flate2 | ^1 | 1.1.9 | up to date |
| hex | ^0.4 | 0.4.3 | up to date |
| itertools | ^0.13 | 0.14.0 | out of date |
| log | ^0.4 | 0.4.29 | up to date |
| md-5 | ^0.10 | 0.10.6 | up to date |
| nom | ^7 | 8.0.0 | out of date |
| num | ^0.4 | 0.4.3 | up to date |
| num-derive | ^0.4 | 0.4.2 | up to date |
| num-traits | ^0.2 | 0.2.19 | up to date |
| pgp ⚠️ | ^0.14.0 | 0.19.0 | out of date |
| sha1 | ^0.10 | 0.10.6 | up to date |
| sha2 | ^0.10 | 0.11.0 | out of date |
| thiserror | ^2 | 2.0.18 | up to date |
| xz2 | ^0.1 | 0.1.7 | up to date |
| zstd | ^0.13 | 0.13.3 | up to date |
(5 total, 2 outdated)
| Crate | Required | Latest | Status |
|---|---|---|---|
| env_logger | ^0.11 | 0.11.10 | up to date |
| gethostname | ^0.5 | 1.1.0 | out of date |
| hex-literal | ^0.4 | 1.1.0 | out of date |
| pretty_assertions | ^1.3 | 1.4.1 | up to date |
| serial_test | ^3.0 | 3.4.0 | up to date |
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
pgp: Panics on Malformed Untrusted InputDuring a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.
When processing malformed input, rpgp can run into Rust panics which halt the program.
This can happen in the following scenarios:
Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.
The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.
All recent versions are affected by at least some of the above mentioned issues.
The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.
The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.