GHSA-QP9X-WP8F-QGJJ

Vulnerability from github – Published: 2026-05-28 22:46 – Updated: 2026-05-28 22:46
VLAI
Summary
tuf has platform-dependent delegation path matching
Details

DelegatedRole._is_target_in_pathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern.

Python's fnmatch.fnmatch calls os.path.normcase() on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.path resolves to ntpath, whose normcase lowercases its input and replaces / with \.

As a result, python-tuf's delegation path pattern matching is case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the authorization decision for a target dependent on the host operating system of the client running the updater.

The result on Windows is a TUF specification violation in the python-tuf ngclient implementation.

Vulnerable code

tuf/api/_payload.py (HEAD 7ecb67d):

1183  @staticmethod
1184  def _is_target_in_pathpattern(targetpath: str, pathpattern: str) -> bool:
1185      """Determine whether ``targetpath`` matches the ``pathpattern``."""
1186      # We need to make sure that targetpath and pathpattern are pointing to
1187      # the same directory as fnmatch doesn't threat "/" as a special symbol.
1188      target_parts = targetpath.split("/")
1189      pattern_parts = pathpattern.split("/")
1190      if len(target_parts) != len(pattern_parts):
1191          return False
1192
1193      # Every part in the pathpattern could include a glob pattern, that's why
1194      # each of the target and pathpattern parts should match.
1195      for target, pattern in zip(target_parts, pattern_parts, strict=True):
1196          if not fnmatch.fnmatch(target, pattern):
1197              return False
1198      return True

fnmatch.fnmatch source (Python 3.12, unchanged in current mainline):

def fnmatch(name, pat):
    ...
    name = os.path.normcase(name)
    pat = os.path.normcase(pat)
    return fnmatchcase(name, pat)

Fix

Replace fnmatch.fnmatch with fnmatch.fnmatchcase, which is explicitly documented as "not applying case normalization", so it behaves identically across platforms.

Attack

  1. A TUF repository with two path-based delegations whose patterns differ only in case — for example, Foo/* and foo/*.
  2. The "attacker" delegation is listed BEFORE the "legit" delegation in the delegation order.
  3. The client searches for foo/something: on Windows, it will find the "attacker" provided target "Foo/something".

Exploitability caveats

  • The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles.
  • Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk.
  • The client must run on Windows. No effect on Linux/macOS.

Credit

Reporter: Koda Reef @kodareef5 Advisory edits: Jussi Kukkonen @jku

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "tuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-178"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T22:46:13Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "`DelegatedRole._is_target_in_pathpattern` uses `fnmatch.fnmatch` to decide whether a given target path is authorized by a delegation\u0027s glob pattern.\n\nPython\u0027s `fnmatch.fnmatch` calls `os.path.normcase()` on both arguments before matching. On POSIX hosts `normcase` is the identity function; on Windows hosts `os.path` resolves to `ntpath`, whose `normcase` lowercases its input and replaces `/` with `\\`.\n\nAs a result, python-tuf\u0027s delegation *path pattern* matching is case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the authorization decision for a target dependent on the host operating system of the client running the updater.\n\nThe result on Windows is a TUF specification violation in the python-tuf `ngclient` implementation.\n\n## Vulnerable code\n\n`tuf/api/_payload.py` (HEAD `7ecb67d`):\n\n```python\n1183  @staticmethod\n1184  def _is_target_in_pathpattern(targetpath: str, pathpattern: str) -\u003e bool:\n1185      \"\"\"Determine whether ``targetpath`` matches the ``pathpattern``.\"\"\"\n1186      # We need to make sure that targetpath and pathpattern are pointing to\n1187      # the same directory as fnmatch doesn\u0027t threat \"/\" as a special symbol.\n1188      target_parts = targetpath.split(\"/\")\n1189      pattern_parts = pathpattern.split(\"/\")\n1190      if len(target_parts) != len(pattern_parts):\n1191          return False\n1192\n1193      # Every part in the pathpattern could include a glob pattern, that\u0027s why\n1194      # each of the target and pathpattern parts should match.\n1195      for target, pattern in zip(target_parts, pattern_parts, strict=True):\n1196          if not fnmatch.fnmatch(target, pattern):\n1197              return False\n1198      return True\n```\n\n`fnmatch.fnmatch` source (Python 3.12, unchanged in current mainline):\n\n```python\ndef fnmatch(name, pat):\n    ...\n    name = os.path.normcase(name)\n    pat = os.path.normcase(pat)\n    return fnmatchcase(name, pat)\n```\n\n## Fix\n\nReplace `fnmatch.fnmatch` with `fnmatch.fnmatchcase`, which is explicitly documented as \"not applying case normalization\", so it behaves identically across platforms.\n\n## Attack\n\n1. A TUF repository with two path-based delegations whose patterns differ only in case \u2014 for example, `Foo/*` and `foo/*`.\n2. The \"attacker\" delegation is listed BEFORE the \"legit\" delegation in the delegation order.\n3. The client searches for `foo/something`: on Windows, it will find the \"attacker\" provided target \"Foo/something\".\n\n\n## Exploitability caveats \n\n* The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles.\n* Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk.\n* The client must run on Windows. No effect on Linux/macOS.\n\n## Credit\n\nReporter: Koda Reef @kodareef5 \nAdvisory edits: Jussi Kukkonen @jku",
  "id": "GHSA-qp9x-wp8f-qgjj",
  "modified": "2026-05-28T22:46:13Z",
  "published": "2026-05-28T22:46:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-qp9x-wp8f-qgjj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/theupdateframework/python-tuf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theupdateframework/python-tuf/releases/tag/v7.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "tuf has platform-dependent delegation path matching"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…