rustsec-2026-0109
Vulnerability from osv_rustsec
Published
2026-04-21 12:00
Modified
2026-04-24 09:17
Summary
Broken hard revocation handling
Details

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies that it had already seen keyed on the policy's hash. Unfortunately, due to a bug the hash was truncated to be 0 bytes and thus only hard revocations in the target commit were considered. Normally this is not a problem as hard revocations are not removed from the signing policy.

An attacker could nevertheless exploit this flaw as follows. Consider Alice and Bob who maintain a project together. If Bob's certificate is compromised and Bob issues a hard revocation, Alice can add it to the project's signing policy. An attacker who has access to Bob's key can then create a merge request that strips the hard revocation. If Alice merges Bob's merge request, then the latest commit will not carry the hard revocation, and sq-git will not see the hard revocation when authenticating that commit or any following commits.

Note: for this attack to be successful, Alice needs to be tricked into merging the malicious MR. If Alice is reviewing MRs, then she is likely to notice changes to the signing policy.

Reported-by: Hassan Sheet

Severity
1.8 (Low)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "sequoia-git",
        "purl": "pkg:cargo/sequoia-git"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Before `sq-git` checks if a commit can be authenticated, it first\nlooks for hard revocations.  Because parsing a policy is expensive\nand a project\u0027s policy rarely changes, `sq-git` has an\noptimization to only check a policy if it hasn\u0027t checked it\nbefore.  It does this by maintaining a set of policies that it had\nalready seen keyed on the policy\u0027s hash.  Unfortunately, due to a\nbug the hash was truncated to be 0 bytes and thus only hard\nrevocations in the target commit were considered.  Normally this\nis not a problem as hard revocations are not removed from the\nsigning policy.\n\nAn attacker could nevertheless exploit this flaw as follows.\nConsider Alice and Bob who maintain a project together.  If Bob\u0027s\ncertificate is compromised and Bob issues a hard revocation, Alice\ncan add it to the project\u0027s signing policy.  An attacker who has\naccess to Bob\u0027s key can then create a merge request that strips\nthe hard revocation.  If Alice merges Bob\u0027s merge request, then\nthe latest commit will not carry the hard revocation, and `sq-git`\nwill not see the hard revocation when authenticating that commit or\nany following commits.\n\nNote: for this attack to be successful, Alice needs to be tricked\ninto merging the malicious MR.  If Alice is reviewing MRs, then\nshe is likely to notice changes to the signing policy.\n\nReported-by: Hassan Sheet",
  "id": "RUSTSEC-2026-0109",
  "modified": "2026-04-24T09:17:50Z",
  "published": "2026-04-21T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/sequoia-git"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0109.html"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/sequoia-pgp/sequoia-git/-/commit/f9c9074bd80023456221f09c3c4ff19957ee9c58"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Broken hard revocation handling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.