Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 875869 (CVE-2022-39237)

Summary: <app-containers/apptainer-1.1.2: digital-signature hash algorithms not validated
Product: Gentoo Security Reporter: Marek Szuba (RETIRED) <marecki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: marecki
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/apptainer/apptainer/releases/tag/v1.1.2
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 875872    
Bug Blocks:    

Description Marek Szuba (RETIRED) archtester gentoo-dev 2022-10-07 14:19:05 UTC 
The go module "sif" version 2.8.0 and older does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

I may be wrong (not in the least because now that we mostly rely self-built dependency tarballs for dependencies of Go software it is not trivial to find out what those dependencies actually are) but it seems the only affected package in the tree is app-containers/apptainer, in which case an update to version 1.1.2 - which bundles sif-2.8.1 - or newer is in order.

I am currently build-testing apptainer-1.1.2. Once pushed, it will have to be fast-tracked through stabilisation so that all vulnerable versions can be removed from the tree.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-07 14:27:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f08746e6fcb72a07689f90aac50c826deda6392

commit 9f08746e6fcb72a07689f90aac50c826deda6392
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2022-10-07 14:21:42 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2022-10-07 14:21:42 +0000

    app-containers/apptainer: add 1.1.2, drop 1.1.0
    
    Bug: https://bugs.gentoo.org/875869
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 app-containers/apptainer/Manifest                                       | 2 +-
 .../apptainer/{apptainer-1.1.0.ebuild => apptainer-1.1.2.ebuild}        | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-07 14:35:40 UTC 
Thanks for reporting!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-08 13:38:43 UTC 
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-10-08 19:27:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c124743140c0abd7c4c776c1fa087ced2a36cb69

commit c124743140c0abd7c4c776c1fa087ced2a36cb69
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2022-10-08 19:23:50 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2022-10-08 19:27:26 +0000

    app-containers/apptainer: drop 1.0.3
    
    No versions vulnerable to CVE-2022-39237 left in the tree.
    
    Bug: https://bugs.gentoo.org/875869
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 app-containers/apptainer/Manifest               |  1 -
 app-containers/apptainer/apptainer-1.0.3.ebuild | 67 -------------------------
 2 files changed, 68 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-08 19:53:26 UTC 
Thanks!

Can you offer any commentaryon how exploitable this is?
Comment 6 Marek Szuba (RETIRED) archtester gentoo-dev 2022-10-08 20:39:48 UTC 
Quite easy, I would say - sign a benign image using a weak algorithm, get your target to start using it, quietly replace the image contents with malicious payload that produces the same signatures, pwned.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-08 21:24:37 UTC 
Thanks, we will indeed GLSA this then.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 18:24:52 UTC 
GLSA request filed
Comment 9 Larry the Git Cow gentoo-dev 2022-10-31 01:42:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c82e528af1807b8f557d3b3dee8219380c688f4c

commit c82e528af1807b8f557d3b3dee8219380c688f4c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:13:42 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:15 +0000

    [ GLSA 202210-19 ] Apptainer: Lack of Digital Signature Hash Verification
    
    Bug: https://bugs.gentoo.org/875869
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:49 UTC 
GLSA released, all done!