Bug 2160363 (CVE-2022-46176)

Summary: CVE-2022-46176 rust-cargo: cargo lacking ssh host key checking
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bodavis, emachado, jcajka, jchecahi, jistone, mnewsome, sipoyare, tstellar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-15 10:30:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2160364, 2160365, 2160366, 2160367, 2160368, 2160369, 2160370, 2160372    
Bug Blocks: 2160219    

Description Sandipan Roy 2023-01-12 07:23:20 UTC
Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks. This vulnerability has been assigned CVE-2022-46176. All Rust versions containing Cargo before 1.66.1 are vulnerable. Note that even if you don't explicitly use SSH for alternate registry indexes or crate dependencies, you might be affected by this vulnerability if you have configured git to replace HTTPS connections to GitHub with SSH (through git's [`url.<base>.insteadOf`][1] setting), as that'd cause you to clone the crates.io index through SSH. Rust 1.66.1 will ensure Cargo checks the SSH host key and abort the connection if the server's public key is not already trusted. We recommend everyone to upgrade as soon as possible.


Comment 1 Sandipan Roy 2023-01-12 07:27:20 UTC
Created rust tracking bugs for this issue:

Affects: epel-7 [bug 2160367]
Affects: fedora-36 [bug 2160368]
Affects: fedora-37 [bug 2160369]

Created rust-cargo tracking bugs for this issue:

Affects: fedora-all [bug 2160364]

Comment 5 Product Security DevOps Team 2023-01-15 10:30:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):