[Pkg-rust-maintainers] Bug#1109001: rust-sequoia-octopus-librnp: denial of service via specially crafted compressed message

Holger Levsen holger at debian.org
Wed Jul 9 11:14:55 BST 2025 

Package: rust-sequoia-octopus-librnp
Version: 1.11.0-1
Severity: important

Dear Maintainer,

reported by codean via the YesWeHack bug bounty program:


DoS via bzip2 decompression bomb

Bug type: Denial of Service (CWE-400)
Scope: octopus
Endpoint: decompression mechanism
Vulnerable part: Others
Part name: BZip
Payload: An openpgp message containing a specially crafted compressed message
Technical env.: OS
App. fingerprint:
CVE:
Impact:
IP used: 0.0.0.0

Description

The OpenPGP standard supports the use of a Compressed Data packet to include compressed content in OpenPGP messages. The sequoia-pgp implementation supports the zip, zlib, and bzip2 compression algorithms. Decompression for bzip2 is handled using the bzip2 library.

This decompression function is applied directly to the compressed content without checking the size of the resulting decompressed payload.

As a result, the library decompresses the entire content, regardless of size. This behavior is also present in octopus, the drop-in replacement for the RNP library used by Thunderbird.

Because sequoia-pgp does not enforce size limits on OpenPGP messages and due to the very high compression ratio achievable with bzip2 (greater than 5,000,000), an attacker can craft a small message that, when processed by sequoia-pgp in octopus, causes CPU usage to spike to 100% for a significant amount of time. This leads to resource exhaustion and renders Thunderbird unresponsive. Similar behavior will occur in any application or library that makes use of sequoia-pgp in a single-threaded manner.

The decompression factor could potentially be increased even further by using nested Compressed Data packets, but this was not tested.
Impact

An attacker is able to craft a PGP message that will force sequoia-pgp to drammatically increase the CPU usage, freezing the Thunderbird application when sequoia-octopus-librnp is used.
Decompressing a 98KB message, which inflates to 20GB of uncompressed content, takes up to 3 minutes on an AMD Ryzen 7 PRO 7840U machine.
While this applies to all supported compression algorithms, it has a significantly higher impact with bzip2, due to the much larger achievable compression ratio.
Solution

A suitable mitigation for libraries like sequoia-pgp is to implement a configurable size limit on the decompressed payload. This would help prevent Denial-of-Service attacks that exploit this behavior.
Attachment: Proof of Concept

In order to generate a small compressed PGP message we can use the following command, which will generate a 50KB ASCII-armored message with a 10GB decompressed payload:

dd if=/dev/zero bs=1M status=none count=10240 | gpg --compress-algo BZIP2 --sign --armor --output dos_message.pgp.asc

Once generated, send the content as the body of an email and open it using Thunderbird with sequoia-octopus-librnp installed. You will notice that the application freezes and CPU usage spikes.


Triager

Hello,

We were able to reproduce the described behavior.

A Decompression Bomb (or Zip Bomb) is a maliciously crafted compressed file designed to consume excessive system resources when decompressed, potentially leading to denial of service or application crashes.

Because sequoia-pgp does not enforce size limits on OpenPGP messages and due to the very high compression ratio achievable with bzip2 (greater than 5,000,000), an attacker can craft a small message that, when processed by sequoia-pgp in octopus, causes CPU usage to spike to 100% for a significant amount of time. This leads to resource exhaustion and renders Thunderbird unresponsive. Similar behavior will occur in any application or library that makes use of sequoia-pgp in a single-threaded manner.
Proof of Concept

    The attacker crafts a small compressed PGP message :

    dd if=/dev/zero bs=1M status=none count=10240 | gpg --compress-algo BZIP2 --sign --armor --output dos_message.pgp.asc

    This create a 50KB with a 10GB decompressed payload
    The attacker send this message as a body of an email

The victims open the email using Thunderbird with sequoia-octopus-librnp https://crates.io/crates/sequoia-octopus-librnp#building-on-linux

Then, attempt to decrypt the message and observe it dramatically increase the CPU usage, freezing the Thunderbird application.

Note that the proposed CVSS score serves as a starting point to support further discussion. Please feel free to reach out if you'd like to review or adjust it.

About the CVSS vector, it seems correct.


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

It's the end of the world as we know it - and I feel fine.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20250709/1c94363a/attachment-0001.sig>

More information about the Pkg-rust-maintainers mailing list