2163614 – (CVE-2023-22742) CVE-2023-22742 libgit2: fails to verify SSH keys by default

Bug 2163614 (CVE-2023-22742) - CVE-2023-22742 libgit2: fails to verify SSH keys by default

Summary: CVE-2023-22742 libgit2: fails to verify SSH keys by default

Keywords:
Status:	NEW
Alias:	CVE-2023-22742
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2163628 2163623 2163624 2163625 2163626 2163627 2163629 2163630 2163631
Blocks:	2163515
TreeView+	depends on / blocked

Reported:	2023-01-24 04:44 UTC by TEJ RATHI
Modified:	2023-02-22 08:51 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libgit2 1.4.5, libgit2 1.5.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in libgit2, a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure. If a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default, without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a Man-in-the-middle attack.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-01-24 04:44:06 UTC

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56
https://github.com/libgit2/libgit2/releases/tag/v1.5.1
https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq
https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea
https://github.com/libgit2/libgit2/releases/tag/v1.4.5
https://www.libssh2.org

Comment 2 Sandipan Roy 2023-01-24 05:30:15 UTC

Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 2163623]


Created rust tracking bugs for this issue:

Affects: epel-all [bug 2163624]
Affects: fedora-all [bug 2163625]


Created rust-libgit2-sys tracking bugs for this issue:

Affects: fedora-all [bug 2163626]


Created rust-libgit2-sys0.12 tracking bugs for this issue:

Affects: fedora-all [bug 2163627]

Note You need to log in before you can comment on or make changes to this bug.