Bug#1126553: marked as done (golang-github-sigstore-sigstore: CVE-2026-24137)

[Debian Bug Tracking System]

Your message dated Thu, 05 Feb 2026 06:33:44 +0000
with message-id <e1vnsvw-00000008uqf-0...@fasolo.debian.org>
and subject line Bug#1126553: fixed in golang-github-sigstore-sigstore 1.10.4-1
has caused the Debian Bug report #1126553,
regarding golang-github-sigstore-sigstore: CVE-2026-24137
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1126553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126553
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-github-sigstore-sigstore
Version: 1.10.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for golang-github-sigstore-sigstore.

CVE-2026-24137[0]:
| sigstore framework is a common go library shared across sigstore
| services and clients. In versions 1.10.3 and below, the legacy TUF
| client (pkg/tuf/client.go) supports caching target files to disk. It
| constructs a filesystem path by joining a cache base directory with
| a target name sourced from signed target metadata; however, it does
| not validate that the resulting path stays within the cache base
| directory. A malicious TUF repository can trigger arbitrary file
| overwriting, limited to the permissions that the calling process
| has. Note that this should only affect clients that are directly
| using the TUF client in sigstore/sigstore or are using an older
| version of Cosign. Public Sigstore deployment users are unaffected,
| as TUF metadata is validated by a quorum of trusted collaborators.
| This issue has been fixed in version 1.10.4. As a workaround, users
| can disable disk caching for the legacy client by setting
| SIGSTORE_NO_CACHE=true in the environment, migrate to
| https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or
| upgrade to the latest sigstore/sigstore release.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-24137
    https://www.cve.org/CVERecord?id=CVE-2026-24137
[1] https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf
[2] 
https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e

Please adjust the affected versions in the BTS as needed.

Regards
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-github-sigstore-sigstore
Source-Version: 1.10.4-1
Done: Simon Josefsson <si...@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-sigstore-sigstore, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1126...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <si...@josefsson.org> (supplier of updated 
golang-github-sigstore-sigstore package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Feb 2026 23:38:35 +0100
Source: golang-github-sigstore-sigstore
Architecture: source
Version: 1.10.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Simon Josefsson <si...@josefsson.org>
Closes: 1126553
Changes:
 golang-github-sigstore-sigstore (1.10.4-1) unstable; urgency=medium
 .
   * New upstream
     - Fix CVE-2026-24137 (Closes: #1126553)
   * Drop Priority: optional
   * Standards-Version: 4.7.3
   * Bump debian/* copyright years
Checksums-Sha1:
 c7f3cff656eaf5e30ea343a34c569a6da1db83a6 3419 
golang-github-sigstore-sigstore_1.10.4-1.dsc
 026807c3fd7dfc6496d3e3819c25548a07bd826a 192912 
golang-github-sigstore-sigstore_1.10.4.orig.tar.xz
 422c9a4b221e46f9d23dab35cede316087700444 5836 
golang-github-sigstore-sigstore_1.10.4-1.debian.tar.xz
 92888909811e29f1756cbac6c76e720106701769 474852 
golang-github-sigstore-sigstore_1.10.4-1.git.tar.xz
 da4e356a8824e707f1958d222534702f49269971 17394 
golang-github-sigstore-sigstore_1.10.4-1_source.buildinfo
Checksums-Sha256:
 87eb81b5780c2218b7fcc9536d1c9f3825169da821e5ce6ba85f99cfdb7c199b 3419 
golang-github-sigstore-sigstore_1.10.4-1.dsc
 2661e2498fa8d42e4276f2b29f43f69683414ee8418f9cdd01cc446f0ac449fb 192912 
golang-github-sigstore-sigstore_1.10.4.orig.tar.xz
 f4c8524b178aff269f464c30c15722a6b4770e3f0e424469d48579c239210b0b 5836 
golang-github-sigstore-sigstore_1.10.4-1.debian.tar.xz
 bec4ac4b48a325a410498d871d7c8842fdfd4b7fad19012007447bbd3daf83df 474852 
golang-github-sigstore-sigstore_1.10.4-1.git.tar.xz
 04c4901d7a557b6722a4e9891838f2893d1c82c75830d8563710d69581b3f8de 17394 
golang-github-sigstore-sigstore_1.10.4-1_source.buildinfo
Files:
 9b0743919e592e38d718a8af56b59a65 3419 golang optional 
golang-github-sigstore-sigstore_1.10.4-1.dsc
 086b997371f0cc7408f1ccff41631b1a 192912 golang optional 
golang-github-sigstore-sigstore_1.10.4.orig.tar.xz
 44a2630f5f24e6db41c6631cbebbfd34 5836 golang optional 
golang-github-sigstore-sigstore_1.10.4-1.debian.tar.xz
 9c04bd85580293e343d11834d4f974c6 474852 golang None 
golang-github-sigstore-sigstore_1.10.4-1.git.tar.xz
 d32e88d5d583842f68ab55a4ef9c1caa 17394 golang optional 
golang-github-sigstore-sigstore_1.10.4-1_source.buildinfo
Git-Tag-Info: tag=7a95a366121b5f423f77b3446ebfd639b6faa1b2 
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <si...@josefsson.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmEN3oACgkQYG0ITkaD
wHl0/BAAx51VPurkyZSG0tTf9GGS8m9BIl8dZrbIPPQxjVU4g6kN4EDXZCKAhatH
QmskcEzaqzD8dtRf4sj/auADjr1SZhTiU0PAHojC7CXxATxzk2yLkNqzY//MfKq9
N8xEnJAJPS9aIgXibD00YixEgCye9pq1U9HOqdPTyVjs9rLHyZIbn+UOEBwxocV3
8QcXagCvuoAirntuHLYz+NE9ffI8RMvoMWdD8r+O9Cy3HKt4xuuJh1bDHCK8D8A8
gw1q79qTAEaXa1eAX83s2nGCMqy685h1JFmnq3Q0XJVol0USwQKPdHJYIdD8pvC4
kFf4tnneIvuefRdwmeH6tn2pHWX914lXMs/kE2Jlo5dC8XYZqMLEu6LvyD/P+QyW
FO/SltIfX4dW2nHpIvAyPNhZ0H3QpW8aqbdg2ve30V2iuzoQfdA8ANDxP7XNogaG
QmGGKv5nM7v0QL3S7gjmjidywFAocgFFtqqMfj1CcCHY+JTElEC/v1TVQtGXfO35
EdfxIMY3KTqfvZ7fgyCMU1KIhTDBQHifYA3YXEqEUd9cmDOkIhzllBIXazQBwQKl
Gy+uLKul/u3DDl5EfTM+K8srewpry317N4dwIbz4pWbt9Nhy+z+CeKmo5PCjJeoq
gz0JsE4sB+xgGbahqhBB3GW0sRH5pc3JRXAeubxaYlJcqfDJydU=
=Cy1Z
-----END PGP SIGNATURE-----

pgpD7xGINL9X4.pgp
Description: PGP signature

--- End Message ---