Bug 2163614 (CVE-2023-22742)

Summary: CVE-2023-22742 libgit2: fails to verify SSH keys by default
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bcl, bodavis, emachado, jcajka, jchecahi, sipoyare, tstellar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libgit2 1.4.5, libgit2 1.5.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libgit2, a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure. If a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default, without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a Man-in-the-middle attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2163623, 2163624, 2163625, 2163626, 2163627, 2163628, 2163629, 2163630, 2163631    
Bug Blocks: 2163515    

Description TEJ RATHI 2023-01-24 04:44:06 UTC 
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56
https://github.com/libgit2/libgit2/releases/tag/v1.5.1
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea
https://github.com/libgit2/libgit2/releases/tag/v1.4.5
https://www.libssh2.org
Comment 2 Sandipan Roy 2023-01-24 05:30:15 UTC 
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 2163623]


Created rust tracking bugs for this issue:

Affects: epel-all [bug 2163624]
Affects: fedora-all [bug 2163625]


Created rust-libgit2-sys tracking bugs for this issue:

Affects: fedora-all [bug 2163626]


Created rust-libgit2-sys0.12 tracking bugs for this issue:

Affects: fedora-all [bug 2163627]