GHSA-vxvc-cg7j-rwqj

Summary

An attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys.

Impact

gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf's TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy’s root metadata is signed by the required threshold of the current policy's root keys.

Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy's set of root keys), thereby rolling back gittuf's policy to the attacker's chosen state.

Note that the attacker cannot roll back the policy to one that would no longer be trusted by the most recent policy's root keys. As an example, say that Policy A's root keys were for Alice and Bob with a threshold of two, and then Policy B replaced Bob with Carol, with a threshold of two required. An attacker would not be able to roll back the policy to policy A, because it was signed by Alice and Bob, not Alice and Carol.

If you host your repository on a forge such as GitHub, GitLab, Bitbucket, etc., and only certain people are allowed to push to the RSL (e.g. only maintainers of your project have push access to the repository, and all other contributions must be done via pull request), then only those users with push access can perform the attack, or the forge itself.

Fix

gittuf version v0.14.0 introduces a monotonically increasing number to all policy metadata (not to be confused with the metadata version, which dictates the features supported by the metadata). This number is incremented whenever a gittuf client of version v0.14.0 or greater updates the metadata or invokes a patch command to add...