Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13YzY0LWM1cnYtMzJwZs4AAzSm
in-toto vulnerable to Configuration Read From Local Directory
Impact
The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification [1]. Among the files read is .in_totorc which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an .in_totorc file that includes the necessary exclude patterns and settings.
RC files are widely used in other systems [2] and security issues have been discovered in their implementations as well [3]. We found in our conversations with in-toto adopters that in_totorc is not their preferred way to configure in-toto. As none of the options supported in in_totorc is unique, and can be set elsewhere using API parameters or CLI arguments, we decided to drop support for in_totorc.
Other Recommendations
Sandbox functionary code as recommended in https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x.
References
[1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
[2] https://spec.editorconfig.org/
[3] https://github.blog/2022-04-12-git-security-vulnerability-announced/
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13YzY0LWM1cnYtMzJwZs4AAzSm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 6 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-wc64-c5rv-32pf, CVE-2023-32076
References:
- https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
- https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
- https://nvd.nist.gov/vuln/detail/CVE-2023-32076
- https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
- https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
- https://github.com/in-toto/in-toto/releases/tag/v2.0.0
- https://github.com/pypa/advisory-database/tree/main/vulns/in-toto/PYSEC-2023-63.yaml
- https://github.com/advisories/GHSA-wc64-c5rv-32pf
Blast Radius: 8.4
Affected Packages
pypi:in-toto
Dependent packages: 2Dependent repositories: 34
Downloads: 116,309 last month
Affected Version Ranges: <= 1.4.0
Fixed in: 2.0.0
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0
All unaffected versions: 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.3.0