GMS-2022-4197: Python-TUF vulnerable to incorrect threshold signature computation for new root metadata
The function _verify_root_self_signed(), introduced in v0.14.0, and which verifies self-signatures in a new root metadata file, counted multiple signatures by any new root key towards the new threshold. That is, any single new root key could theoretically provide enough signatures to meet the threshold for new key self-signatures required during root metadata update. A scenario where this attack could be relevant is amazingly unlikely in practice to the point where labeling this issue as a security advisory is potentially overstating the impact of the issue. Given that new root keys only become trusted by the client after a successful root metadata update, which also requires the quorum of signatures from old trusted root keys, this issue has been evaluated as low in severity.
References
Detect and mitigate GMS-2022-4197 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →