Source: in-toto X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for in-toto. CVE-2023-32076[0]: | in-toto is a framework to protect supply chain integrity. The in-toto | configuration is read from various directories and allows users to | configure the behavior of the framework. The files are from | directories following the XDG base directory specification. In | versions 1.4.0 and prior, among the files read is `.in_totorc` which | is a hidden file in the directory in which in-toto is run. If an | attacker controls the inputs to a supply chain step, they can mask | their activities by also passing in an `.in_totorc` file that includes | the necessary exclude patterns and settings. RC files are widely used | in other systems and security issues have been discovered in their | implementations as well. Maintainers found in their conversations with | in-toto adopters that `in_totorc` is not their preferred way to | configure in-toto. As none of the options supported in `in_totorc` is | unique, and can be set elsewhere using API parameters or CLI | arguments, the maintainers decided to drop support for `in_totorc`. | in-toto's `user_settings` module has been dropped altogether in commit | 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox | functionary code as a security measure. https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-32076 https://www.cve.org/CVERecord?id=CVE-2023-32076 Please adjust the affected versions in the BTS as needed.