Bug 2415863 (CVE-2025-13402)

Summary: CVE-2025-13402 github.com/rnpgp/rnp: RNP PKESK Session Keys Generated as All‑Zero
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: carnil, prodsec-dev
Target Milestone: ---Keywords: Security
Target Release: ---Flags: carnil: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in RNP’s OpenPGP encryption component. This vulnerability allows decryption of public‑key‑encrypted messages by using a session key consisting entirely of zero bytes, due to the session key not being properly initialized during PKESK generation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2415865, 2415866, 2415867, 2415868, 2415869, 2415870    
Bug Blocks:    

Description OSIDB Bzimport 2025-11-19 13:39:37 UTC 
today I stumbled upon a bug in RNP that has been introduced when refactoring. Namely, session keys generated for PKESK are not randomized but always zero. I believe this behaviour was introduced in https://github.com/rnpgp/rnp/commit/7bd9a8dc#diff-407f1b7227c5750de89205b12f416de7b215e3bb5e07c46daa25aff431654da2L993-R1041 Here, encrypted_build_skesk() will initialize the session key only for the SKESK case. For the PKESK case, the array remains all-zero. To confirm that the v0.18.0 release is affected, I built it and indeed, I can decrypt [typo corrected] PKESK-encrypted data when supplying the all-zero session key. Below are my steps to easily reproduce: git clone https://github.com/rnpgp/rnp.git cd rnp git checkout v0.18.0 git submodule update --init --recursive cmake -S . -B build/ cmake --build build/ -j6 mkdir /tmp/rnptmphome ./build/src/rnpkeys/rnpkeys -g --homedir /tmp/rnptmphome ./build/src/rnp/rnp --homedir /tmp/rnptmphome -es --armor version.txt Now one can use any utility to confirm the session key. For example, I went to https://dump.sequoia-pgp.org/, pasted version.txt.asc and put 0000000000000000000000000000000000000000000000000000000000000000 as session key. This will decrypt the data just fine.
Comment 2 Salvatore Bonaccorso 2025-11-21 20:28:02 UTC 
FYI, according to https://www.cve.org/CVERecord?id=CVE-2025-13470 the right CVE for this issue is CVE-2025-13470.