Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 676262 - <dev-vcs/git-2.20: multiple commit signatures can cause confusing %GK/%GS output
Summary: <dev-vcs/git-2.20: multiple commit signatures can cause confusing %GK/%GS output
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://dev.gentoo.org/~mgorny/articl...
Whiteboard: A4 [glsa+]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2019-01-26 10:31 UTC by Michał Górny
Modified: 2020-03-15 16:49 UTC (History)
2 users (show)

See Also:
Package list:
dev-vcs/git-2.21.0
Runtime testing required: Yes


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-01-26 10:31:33 UTC
This is something I've discovered back in August 2018.  Fix is included in 2.20.0.

Long story short, if you take a commit with good signature, alter its contents and then add an additional untrusted signature, you end up with two signatures: one BAD signature made with trusted key, and GOOD signature made with other key.  Git format strings may end up reporting it as %G? = U (untrusted) with %GK/%GS listing the *trusted* key (taken from BAD signature).

This shouldn't affect normal git use or the tools used normally by Gentoo.  However, some poorly written verification script may be tricked into believing it got a commit with good signature from trusted key (if it assumes %G? = U is normal, and then verifies correctness via %GK).
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-03-29 20:33:51 UTC
@arches, please stabilize.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-29 21:53:59 UTC
amd64 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-30 19:02:19 UTC
arm stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-02 01:38:53 UTC
x86 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:41:35 UTC
alpha stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:43:38 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:49:35 UTC
ppc64 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 21:58:06 UTC
s390 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:10:03 UTC
ppc stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2019-04-09 13:52:13 UTC
arm64 stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2019-04-11 01:16:28 UTC
This issue was resolved and addressed in
 GLSA 201904-13 at https://security.gentoo.org/glsa/201904-13
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2019-04-11 01:17:10 UTC
re-opened for final arches and cleanup
Comment 13 Rolf Eike Beer archtester 2019-04-11 19:42:04 UTC
sparc finished
Comment 14 Rolf Eike Beer archtester 2019-04-23 21:22:01 UTC
hppa stable
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2019-08-12 23:18:42 UTC
Just waiting on sh, which is not a stable arch, for cleanup to happen...
Comment 16 Larry the Git Cow gentoo-dev 2019-10-26 23:19:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb2f4440cf7ff92edb7f91bdb9273ffbaabd506f

commit bb2f4440cf7ff92edb7f91bdb9273ffbaabd506f
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:18:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:18:55 +0000

    dev-vcs/git: sh stable (#697962)
    
    -EARCHTESTER_TIMEOUT.
    
    Bug: https://bugs.gentoo.org/676262
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-vcs/git/git-2.21.0.ebuild    | 2 +-
 dev-vcs/git/git-2.23.0-r1.ebuild | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 23:19:58 UTC
@ maintainer(s): Please cleanup and drop <dev-vcs/git-2.21.0!
Comment 18 Larry the Git Cow gentoo-dev 2019-11-03 15:06:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05d4cc2c1158ad51c793868a73fad28ba811200f

commit 05d4cc2c1158ad51c793868a73fad28ba811200f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-11-03 15:06:20 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-11-03 15:06:38 +0000

    dev-vcs/git: Security cleanup
    
    Bug: https://bugs.gentoo.org/676262
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-vcs/git/Manifest          |   3 -
 dev-vcs/git/git-2.19.2.ebuild | 709 ------------------------------------------
 2 files changed, 712 deletions(-)
Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 16:49:52 UTC
Repository is clean, all done!