GHSA-G27R-R6PH-VF5R

Vulnerability from github – Published: 2026-05-04 22:28 – Updated: 2026-05-04 22:28
VLAI?
Summary
sequoia-git has broken hard revocation handling
Details

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies that it had already seen keyed on the policy's hash. Unfortunately, due to a bug the hash was truncated to be 0 bytes and thus only hard revocations in the target commit were considered. Normally this is not a problem as hard revocations are not removed from the signing policy.

An attacker could nevertheless exploit this flaw as follows. Consider Alice and Bob who maintain a project together. If Bob's certificate is compromised and Bob issues a hard revocation, Alice can add it to the project's signing policy. An attacker who has access to Bob's key can then create a merge request that strips the hard revocation. If Alice merges Bob's merge request, then the latest commit will not carry the hard revocation, and sq-git will not see the hard revocation when authenticating that commit or any following commits.

Note: for this attack to be successful, Alice needs to be tricked into merging the malicious MR. If Alice is reviewing MRs, then she is likely to notice changes to the signing policy.

Reported-by: Hassan Sheet

Severity ?
1.8 (Low)
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "sequoia-git"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-299"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T22:28:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Before `sq-git` checks if a commit can be authenticated, it first looks for hard revocations.  Because parsing a policy is expensive\nand a project\u0027s policy rarely changes, `sq-git` has an optimization to only check a policy if it hasn\u0027t checked it before.  It does this by maintaining a set of policies that it had already seen keyed on the policy\u0027s hash.  Unfortunately, due to a bug the hash was truncated to be 0 bytes and thus only hard revocations in the target commit were considered.  Normally this is not a problem as hard revocations are not removed from the signing policy.\n\nAn attacker could nevertheless exploit this flaw as follows. Consider Alice and Bob who maintain a project together.  If Bob\u0027s\ncertificate is compromised and Bob issues a hard revocation, Alice can add it to the project\u0027s signing policy.  An attacker who has\naccess to Bob\u0027s key can then create a merge request that strips the hard revocation.  If Alice merges Bob\u0027s merge request, then\nthe latest commit will not carry the hard revocation, and `sq-git` will not see the hard revocation when authenticating that commit or any following commits.\n\nNote: for this attack to be successful, Alice needs to be tricked into merging the malicious MR.  If Alice is reviewing MRs, then she is likely to notice changes to the signing policy.\n\nReported-by: Hassan Sheet",
  "id": "GHSA-g27r-r6ph-vf5r",
  "modified": "2026-05-04T22:28:50Z",
  "published": "2026-05-04T22:28:50Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://gitlab.com/sequoia-pgp/sequoia-git"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/sequoia-pgp/sequoia-git/-/commit/f9c9074bd80023456221f09c3c4ff19957ee9c58"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0109.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sequoia-git has broken hard revocation handling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.