GHSA-g27r-r6ph-vf5r: sequoia-git has broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project’s policy rarely changes, sq-git has an optimization to only check a policy if it hasn’t checked it before. It does this by maintaining a set of policies that it had already seen keyed on the policy’s hash. Unfortunately, due to a bug the hash was truncated to be 0 bytes and thus only hard revocations in the target commit were considered. Normally this is not a problem as hard revocations are not removed from the signing policy.

An attacker could nevertheless exploit this flaw as follows. Consider Alice and Bob who maintain a project together. If Bob’s certificate is compromised and Bob issues a hard revocation, Alice can add it to the project’s signing policy. An attacker who has access to Bob’s key can then create a merge request that strips the hard revocation. If Alice merges Bob’s merge request, then the latest commit will not carry the hard revocation, and sq-git will not see the hard revocation when authenticating that commit or any following commits.

Note: for this attack to be successful, Alice needs to be tricked into merging the malicious MR. If Alice is reviewing MRs, then she is likely to notice changes to the signing policy.

Reported-by: Hassan Sheet