Bug 2163614 (CVE-2023-22742) - CVE-2023-22742 libgit2: fails to verify SSH keys by default
Summary: CVE-2023-22742 libgit2: fails to verify SSH keys by default
Keywords:
Status: NEW
Alias: CVE-2023-22742
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2163623 2163624 2163625 2163626 2163627 2163628 2163629 2163630 2163631
Blocks: 2163515
TreeView+ depends on / blocked
 
Reported: 2023-01-24 04:44 UTC by TEJ RATHI
Modified: 2023-09-26 21:16 UTC (History)
7 users (show)

Fixed In Version: libgit2 1.4.5, libgit2 1.5.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libgit2, a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure. If a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default, without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a Man-in-the-middle attack.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-01-24 04:44:06 UTC
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56
https://github.com/libgit2/libgit2/releases/tag/v1.5.1
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea
https://github.com/libgit2/libgit2/releases/tag/v1.4.5
https://www.libssh2.org

Comment 2 Sandipan Roy 2023-01-24 05:30:15 UTC
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 2163623]


Created rust tracking bugs for this issue:

Affects: epel-all [bug 2163624]
Affects: fedora-all [bug 2163625]


Created rust-libgit2-sys tracking bugs for this issue:

Affects: fedora-all [bug 2163626]


Created rust-libgit2-sys0.12 tracking bugs for this issue:

Affects: fedora-all [bug 2163627]


Note You need to log in before you can comment on or make changes to this bug.