Bug 2119444
| Summary: | GHSA-gqf4-p3gv-g8vw: ed25519: Invalid out of bound reads | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Luca BRUNO <lucab> |
| Component: | ostree | Assignee: | Luca BRUNO <lucab> |
| Status: | CLOSED ERRATA | QA Contact: | RHCOS SST QE <rhcos-sst-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.7 | CC: | hhei |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.7 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ostree-2022.2-5.el8 | Doc Type: | Bug Fix |
| Doc Text: |
The ed25519 signature verification code did not check that the signature has the correct length.
This is believed to be a low severity issue, with practical impact is a local denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 09:39:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Luca BRUNO
2022-08-18 14:58:23 UTC
Hi Luca, would you help to provide some suggestions about how to do the verify? Thanks! I don't exactly know, sorry. We do have a test-case for this in the upstream CI, see https://github.com/ostreedev/ostree/commit/e0417957ea1578032da505947ec9cac299015446. You may try extracting that into an equivalent set of CLI commands. I did this backport for proactive code hardening/patching, but it turned out that the original logic is only reachable if ostree is built with the `sign-ed25519` feature. The RHEL8 package is currently built without that feature. That means that there are no direct security concerns, and also that this backport may not have any directly verifiable/observable effects. Based on Comment 8, mark it as verified from the source code point of view [core@cosa-devsh ~]$ ostree --version libostree: Version: '2022.2' Git: a332611316fee36b1c630f8b266e4a37f77f2c54 Features: - libcurl - libsoup - gpgme - libarchive - selinux - openssl - libmount - systemd - release - p2p [core@cosa-devsh ~]$ rpm -q ostree ostree-2022.2-5.el8.x86_64 And thanks Luca a lot for the confirmation! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ostree bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7557 |