pgp: Add information about CVE-2024-53856

crates/pgp/RUSTSEC-0000-0000.md

@@ -0,0 +1,55 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "pgp"
+date = "2024-12-05"
+url = "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
+references = ["https://github.com/radicallyopensecurity/ros-website/blob/8169b16fc138a0b0dde14dd0e222d1279701b4d3/ros-public-reports/ROS%20-%20NLNet%20-%20rPGP%20-%202024.pdf"]
+categories = ["denial-of-service"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+aliases = ["CVE-2024-53856","GHSA-9rmp-2568-59rv"]
+license = "CC-BY-4.0"
+
+[versions]
+patched = [">= 0.14.1"]
+```
+
+# Panics on Malformed Untrusted Input
+
+During a security audit, Radically Open Security discovered
+several reachable edge cases which allow an attacker to
+trigger rpgp crashes by providing crafted data.
+
+## Impact
+
+When processing malformed input, rpgp can run into Rust panics which halt
+the program.
+
+This can happen in the following scenarios:
+
+ * Parsing OpenPGP messages from binary or armor format
+ * Decrypting OpenPGP messages via decrypt_with_password()
+ * Parsing or converting public keys
+ * Parsing signed cleartext messages from armor format
+ * Using malformed private keys to sign or encrypt
+
+Given the affected components, we consider most attack vectors to be
+reachable by remote attackers during typical use cases of the rpgp
+library. The attack complexity is low since the malformed messages
+are generic, short, and require no victim-specific knowledge.
+
+The result is a denial-of-service impact via program termination.
+There is no impact to confidentiality or integrity security properties.
+
+## Versions and Patches
+
+All recent versions are affected by at least some of the above mentioned
+issues.
+
+The vulnerabilities have been fixed with version 0.14.1. We recommend
+all users to upgrade to this version.
+
+## References
+
+The security audit was made possible by the NLnet Foundation
+NGI Zero Core grant program for rpgp.