2268513 – (CVE-2024-2307) CVE-2024-2307 osbuild-composer: race condition may disable GPG verification for package repositories

Bug 2268513 (CVE-2024-2307) - CVE-2024-2307 osbuild-composer: race condition may disable GPG verification for package repositories

Summary: CVE-2024-2307 osbuild-composer: race condition may disable GPG verification f...

Keywords:
Status:	NEW
Alias:	CVE-2024-2307
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2270310
Blocks:	2268352
TreeView+	depends on / blocked

Reported:	2024-03-07 22:51 UTC by Robb Gatica
Modified:	2024-04-19 07:59 UTC (History)
CC List:	3 users (show)
Fixed In Version:	osbuild-composer 94
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-03-07 22:51:36 UTC

Description:
A race condition in osbuild-composer can cause GPG verification to be disabled for package repositories. Triggering this behavior requires adding not only the third-party repo with RPMs you wish to gpg-check, but an additional repo with gpg-checking disabled. There is code in the affected versions of osbuild-composer that causes third-party repos to unintentionally share the checkgpg setting, and in some cases the insecure setting wins. 

This issue was addressed and fixed internally (for an unrelated bug)  https://github.com/osbuild/osbuild-composer/commit/b786178077a23bc6aca9f65ee58651bd4dfb1244 which was included in osbuild-composer 94. This issue might need to be backported to currently supported RHEL versions that do not have this commit. The associated Github Security Advisory is not yet public, so this bug is currently embargoed. 

Impact:
This can lead to installing untrusted code into an image being built.

Affected versions: previous versions < 94 

I'll add the PoC/Steps to reproduce ASAP.

Comment 4 Robb Gatica 2024-03-19 15:35:13 UTC

Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2270310]

Note You need to log in before you can comment on or make changes to this bug.