rust-tuf icon indicating copy to clipboard operation
rust-tuf copied to clipboard
verified publisher icon theupdateframework

rust-tuf should not deserialize metadata until it has been verified

Open erickt opened this issue 5 years ago • 0 comments

It's possible that a parser bug could allow for a man-in-the-middle attacker to compromise a system. None have been found so far in serde_json, but other parsers have had bugs like this, see CVE-2017-18349. We would like to modify rust-tuf to only deserialize metadata after it has been verified, either by hash or signature.

Unfortunately, there are a few challenges here.

  • POUF-1 embeds the signatures into the role metadata.
  • The TUF-1.0.5 spec itself implies that metadata is parsed before validation in sections 5.3.1 and 5.4.1 in order to verify metadata versions before signatures. In https://github.com/theupdateframework/specification/pull/112, I've proposed moving this check to after signature verification.
  • rust-tuf isn't careful on when deserialization happens.

We should address these to protect ourselves from these attacks.

erickt avatar Sep 17 '20 18:09 erickt