Source: golang-github-sigstore-sigstore Version: 1.10.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-sigstore-sigstore. CVE-2026-24137[0]: | sigstore framework is a common go library shared across sigstore | services and clients. In versions 1.10.3 and below, the legacy TUF | client (pkg/tuf/client.go) supports caching target files to disk. It | constructs a filesystem path by joining a cache base directory with | a target name sourced from signed target metadata; however, it does | not validate that the resulting path stays within the cache base | directory. A malicious TUF repository can trigger arbitrary file | overwriting, limited to the permissions that the calling process | has. Note that this should only affect clients that are directly | using the TUF client in sigstore/sigstore or are using an older | version of Cosign. Public Sigstore deployment users are unaffected, | as TUF metadata is validated by a quorum of trusted collaborators. | This issue has been fixed in version 1.10.4. As a workaround, users | can disable disk caching for the legacy client by setting | SIGSTORE_NO_CACHE=true in the environment, migrate to | https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or | upgrade to the latest sigstore/sigstore release. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24137 https://www.cve.org/CVERecord?id=CVE-2026-24137 [1] https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf [2] https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e Please adjust the affected versions in the BTS as needed. Regards Salvatore
