Bug 2268513 (CVE-2024-2307)

Summary: CVE-2024-2307 osbuild-composer: race condition may disable GPG verification for package repositories
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atodorov, security-response-team, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: osbuild-composer 94 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2270310    
Bug Blocks: 2268352    

Description Robb Gatica 2024-03-07 22:51:36 UTC 
Description:
A race condition in osbuild-composer can cause GPG verification to be disabled for package repositories. Triggering this behavior requires adding not only the third-party repo with RPMs you wish to gpg-check, but an additional repo with gpg-checking disabled. There is code in the affected versions of osbuild-composer that causes third-party repos to unintentionally share the checkgpg setting, and in some cases the insecure setting wins. 

This issue was addressed and fixed internally (for an unrelated bug)  https://github.com/osbuild/osbuild-composer/commit/b786178077a23bc6aca9f65ee58651bd4dfb1244 which was included in osbuild-composer 94. This issue might need to be backported to currently supported RHEL versions that do not have this commit. The associated Github Security Advisory is not yet public, so this bug is currently embargoed. 

Impact:
This can lead to installing untrusted code into an image being built.

Affected versions: previous versions < 94 

I'll add the PoC/Steps to reproduce ASAP.
Comment 4 Robb Gatica 2024-03-19 15:35:13 UTC 
Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2270310]
Comment 8 errata-xmlrpc 2024-04-30 09:33:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2119 https://access.redhat.com/errata/RHSA-2024:2119