This is something I've discovered back in August 2018. Fix is included in 2.20.0. Long story short, if you take a commit with good signature, alter its contents and then add an additional untrusted signature, you end up with two signatures: one BAD signature made with trusted key, and GOOD signature made with other key. Git format strings may end up reporting it as %G? = U (untrusted) with %GK/%GS listing the *trusted* key (taken from BAD signature). This shouldn't affect normal git use or the tools used normally by Gentoo. However, some poorly written verification script may be tricked into believing it got a commit with good signature from trusted key (if it assumes %G? = U is normal, and then verifies correctness via %GK).
@arches, please stabilize.
amd64 stable
arm stable
x86 stable
alpha stable
ia64 stable
ppc64 stable
s390 stable
ppc stable
arm64 stable
This issue was resolved and addressed in GLSA 201904-13 at https://security.gentoo.org/glsa/201904-13 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arches and cleanup
sparc finished
hppa stable
Just waiting on sh, which is not a stable arch, for cleanup to happen...
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb2f4440cf7ff92edb7f91bdb9273ffbaabd506f commit bb2f4440cf7ff92edb7f91bdb9273ffbaabd506f Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-26 23:18:55 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-26 23:18:55 +0000 dev-vcs/git: sh stable (#697962) -EARCHTESTER_TIMEOUT. Bug: https://bugs.gentoo.org/676262 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-vcs/git/git-2.21.0.ebuild | 2 +- dev-vcs/git/git-2.23.0-r1.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
@ maintainer(s): Please cleanup and drop <dev-vcs/git-2.21.0!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05d4cc2c1158ad51c793868a73fad28ba811200f commit 05d4cc2c1158ad51c793868a73fad28ba811200f Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-11-03 15:06:20 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-11-03 15:06:38 +0000 dev-vcs/git: Security cleanup Bug: https://bugs.gentoo.org/676262 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-vcs/git/Manifest | 3 - dev-vcs/git/git-2.19.2.ebuild | 709 ------------------------------------------ 2 files changed, 712 deletions(-)
Repository is clean, all done!