关键漏洞信息 RA-2023-04-11: Security vulnerabilities fixed in RNP 0.16.3 Metadata ID: RA-2023-05-30 Date: 11 Apr 2023 Covers CVEs: CVE-2023-29479, CVE-2023-29480 CVE-2023-29479 Name: Hang when processing certain OpenPGP messages Link: CVE-2023-29479 Problem: CWE-400 - Uncontrolled Resource Consumption Impact: CAPEC-607 - Obstruction Affected Vendors: Ribose Affected Products: RNP (0.16.1 through 0.16.2) Vulnerability Details: Malformed OpenPGP messages cause incorrect parsing and library hang. Additional Details: Upgrading to RNP 0.16.3 fixes this issue. Affects Thunderbird up to version 102.9.1. Credits: Ribose RNP Team, oss-fuzz CVE-2023-29480 Name: Secret keys remain unlocked after usage in certain cases Link: CVE-2023-29480 Problem: CWE-922 - Insecure Storage of Sensitive Information Impact: CAPEC-37 - Retrieve Embedded Sensitive Data Affected Vendors: Ribose Affected Products: RNP (0.16.1 through 0.16.2) Vulnerability Details: Premature destruction of an unnamed KeyLocker prevents re-locking keys. Additional Details: Upgrading to RNP 0.16.3 fixes this issue. Credits: Falko Strenzke (@falko-strenzke)