You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The TUF spec states that the root metadata should be updated by continuing to try to update to version N+1 metadata until we get a not-found error. However, rust-tuf doesn't follow this scheme. Instead, Client::update_root fetches the latest root metadata, then sequentially updates from the current root version through the latest version. Unfortunately, this exposes the client to parsing untrusted TUF metadata. It's theoretically possible a parser exploit that could compromise a rust-tuf Client (see #291).
We should change Client::update_root to follow the spec to avoid this issue.
The text was updated successfully, but these errors were encountered:
The TUF spec states that the root metadata should be updated by continuing to try to update to version N+1 metadata until we get a not-found error. However, rust-tuf doesn't follow this scheme. Instead,
Client::update_rootfetches the latest root metadata, then sequentially updates from the current root version through the latest version. Unfortunately, this exposes the client to parsing untrusted TUF metadata. It's theoretically possible a parser exploit that could compromise a rust-tufClient(see #291).We should change
Client::update_rootto follow the spec to avoid this issue.The text was updated successfully, but these errors were encountered: