Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error in case the delegated role is missing from the snapshot #652

Merged
merged 1 commit into from
Oct 1, 2024

Conversation

rdimitrov
Copy link
Contributor

The following PR fixes the issue where go-tuf will SIGSEGV if a top-level target delegates to another role but that role is not listed in the snapshot metadata.

This is highly unlikely to happen because the attacker must have the ability to create a delegation to a new role in the repository and must be able to prevent this delegation from being included in snapshot metadata in the repository. This implies a significant compromise of a repository. If these requirements are met and client tries to download anything delegated to the new role, it will segfault. In any case it's worth fixing it.

Thanks to @jku for reporting this issue! 👏

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov rdimitrov requested a review from a team as a code owner October 1, 2024 12:00
@rdimitrov rdimitrov self-assigned this Oct 1, 2024
@rdimitrov rdimitrov merged commit 4eb06c8 into master Oct 1, 2024
23 checks passed
@rdimitrov rdimitrov deleted the fix-nil-reference branch October 1, 2024 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants