Zion Boggan

In-depth vulnerability research, detection engineering & applied cryptography.

● Open to security-research & detection roles
GitHub · LinkedIn · Email
← Research notebook
Methodology

sequoia-pgp hunt, iteration 3 (RUSTSEC-2024-0345 variant audit)

Zion Boggan · April 17, 2026 · coordinated disclosure

Time: 2026-04-17 ~09:30 UTC Target: variant of CVE-2024-58261 (RawCertParser advance-on-unsupported-version bug)

RawCertParser current state (post-fix)

File: openpgp/src/cert/raw.rs (1712 LoC)

Loop in Iterator::next() (line 740): - Reads header via Header::parse(&mut reader). - Branches on header.length():, BodyLength::Full(l)reader.data_consume_hard(l), body bytes consumed BEFORE Key::from_bytes., BodyLength::Partial → set done=true, error, break., BodyLength::Indeterminate → set done=true, error, break. - After consume: processed = reader.total_out() reflects total bytes consumed. - On Cert::valid_start/valid_packet Err (line 983-996): break iteration. done set only if first-cert + first-packet + Unknown/Private tag. - Final commit: self.bytes_read += processed; self.reader.data_consume_hard(processed).

Result: even on Key::from_bytes Err (unsupported version), body bytes ARE consumed and reader advances. The infinite-loop class is closed for Full-length PublicKey/SecretKey packets.

Other version-dispatch sites surveyed (parse.rs)

Lines 1413, 2112, 2663, 2697, 3446, 3591, 3842: each match version arm with unknown branch routes via php.fail("unknown version")PacketHeaderParser::error()self.reader.rewind(); Unknown::parse(self, error). Unknown::parse delivers an Unknown packet whose body is consumed by the outer PacketParser via the BodyLength header. Safe.

Negative result

No exploitable variant of RUSTSEC-2024-0345 found in this iteration. RawCertParser post-fix consumes via BodyLength regardless of key-parse outcome; standard PacketParser flow consumes Unknown packets via header length.

Caveat: shallow clone (depth 50) doesn’t include the original 2024-0345 commit, so I can’t see the exact diff. Variant probe limited to current-state reasoning.

Next iteration pivot candidates (within sequoia)

  1. packet/seip/v1.rs MDC verification, CBC-MAC oracle class flagged in intel. Look at Read impl on Decryptor + MDC-tag check timing.
  2. packet/skesk.rs S2K iteration count, DoS class via attacker-controlled iteration counter.
  3. cert/parser/mod.rs (full Cert parser, not raw), newer signature subpacket types (RFC 9580 v6 sigs, hash algorithm prefs).
  4. Pivot OUT of sequoia to Arm Trusted Firmware (Intigriti #2 from intel).

Going with option 1 next iteration.

Source · github.com/zionsworking/security-research-notebook · methodology/sequoia-pgp-variant-hunting-3.md