Merge pull request #332 from iliana/CVE-2020-15093

tough: CVE-2020-15093 / GHSA-5q2r-92f9-4m49
2025-12-31 16:50:28 +01:00 · 2020-07-09 22:01:12 +02:00
parent 6b10ce0976 f17173c999
commit 83f70aefc0
1 changed files with 29 additions and 0 deletions
--- a/crates/tough/RUSTSEC-0000-0000.toml
+++ b/crates/tough/RUSTSEC-0000-0000.toml
@@ -0,0 +1,29 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "tough"
+date = "2020-07-09"
+title = "Improper uniqueness verification of signature threshold"
+url = "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49"
+aliases = ["CVE-2020-15093", "GHSA-5q2r-92f9-4m49"]
+references = ["CVE-2020-6174"]
+description = """
+The tough library, prior to 0.7.1, does not properly verify the uniqueness of
+keys in the signatures provided to meet the threshold of cryptographic
+signatures. It allows someone with access to a valid signing key to create
+multiple valid signatures in order to circumvent TUF requiring a minimum
+threshold of unique keys before the metadata is considered valid.
+
+AWS would like to thank Erick Tryzelaar of the Google Fuchsia Team for
+reporting this issue.
+
+A fix is available in version 0.7.1.
+
+CVE-2020-6174 is assigned to the same issue in the TUF reference
+implementation.
+
+If you have any questions or comments about this advisory, contact AWS Security
+at aws-security@amazon.com.
+"""
+
+[versions]
+patched = [">= 0.7.1"]