You need to sign in or sign up before continuing.
Crafted pgp message panics pgp parser
Hello,
I found this pgp message that panics the pgp parser in the sequoia-openpgp
crate:
% sq --version
sq 0.29.0 (sequoia-openpgp 1.14.0, using Nettle 3.8 (Cv448: true))
% cat thisfile.txt
-----BEGIN PGP SIGNED MESSAGE-----
hewwo :3
-----BEGIN PGP SIGNATURE-----
owGjAA0=
zXvj
-----END PGP SIGNATURE-----
% sq verify --signer-file /dev/null thisfile.txt
thread 'main' panicked at 'It is an error to consume more than data returns: Custom { kind: InvalidInput, error: "corrupt deflate stream" }', /build/.cargo/registry/src/github.com-1ecc6299db9ec823/sequoia-openpgp-1.14.0/src/parse.rs:5129:18
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
%
A panic in the parser can be a DoS vulnerabiity for programs using sequoia-openpgp as a library.
Thanks!