Bug 2267820

Summary: The signature verification can be bypassed.
Product: [Fedora] Fedora Reporter: Björn Persson <bjorn>
Component: git-lfsAssignee: Elliott Sales de Andrade <quantum.analyst>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 42CC: carl, go-sig, opohorel, quantum.analyst
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-09-18 17:28:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2361705, 2267819    
Bug Blocks:    

Description Björn Persson 2024-03-04 21:13:10 UTC 
The signature verification in git-lfs.spec, as currently written, is vulnerable to spoofing.

There's a treacherous pitfall with clearsigned files like sha256sums.asc: A clearsigned block can be surrounded by unsigned text. An attacker could make a malicious tarball and pass it off as a new version of Git-LFS. The attacker would take a genuine signed sha256sums.asc and add the SHA-256 sum of the malicious tarball above or below the clearsigned block. gpgv2 would verify only the contents of the clearsigned block and report that the signature is valid. Then sha256sum would verify the tarball against the unsigned checksum and report that it matches. Thus the attack has bypassed the signature verification.

The way to prevent such attacks is to have gpgv2 write the verified data to an output file, omitting any surrounding unsigned text, and then trust only the contents of the output file.

The best solution is to get this improved version of gpgverify merged:

https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/261

Then git-lfs.spec should be changed to use that, and pass its output file to sha256sum instead of the clearsigned file.

(Actually the very best solution would be if the Git-LFS developers would skip the sha256sum step and just sign their tarballs directly.)
Comment 1 Aoife Moloney 2025-02-26 12:59:23 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Comment 2 Björn Persson 2025-09-18 17:28:10 UTC 
This was fixed four months ago.