Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 890371 (CVE-2022-46176)

Summary: <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: gyakovlev, navi, randy, rust
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2023/01/10/3
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 890541    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-10 22:24:11 UTC 
From URL:

"## Overview

When an SSH client establishes communication with a server, to prevent MITM
attacks the client should check whether it already communicated with that
server in the past and what the server's public key was back then. If the key
changed since the last connection, the connection must be aborted as a MITM
attack is likely taking place.

It was discovered that Cargo never implemented such checks, and performed no
validation on the server's public key, leaving Cargo users vulnerable to MITM
attacks."

Fix is in 1.66.1, but 1.66 patches are here:

https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
Comment 1 Larry the Git Cow gentoo-dev 2023-01-11 20:46:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff393adcf173781fd00560a306f6597ead75208

commit bff393adcf173781fd00560a306f6597ead75208
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2023-01-11 20:35:46 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2023-01-11 20:40:09 +0000

    dev-lang/rust: add 1.66.1, drop 1.66.0
    
    Bug: https://bugs.gentoo.org/890371
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest                                   | 4 ++--
 dev-lang/rust/{rust-1.66.0.ebuild => rust-1.66.1.ebuild} | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 2 Georgy Yakovlev archtester gentoo-dev 2023-01-11 20:51:28 UTC 
no need for separate patches (because of -bin), I'll simply drop <1.66.1

was going to stabilize 1.66.x anyway.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-12 02:23:19 UTC 
Thanks!
Comment 4 Hans de Graaff gentoo-dev Security 2023-10-08 10:40:45 UTC 
Ping. Please clean up vulnerable versions rust-1.65.0 and rust-bin-1.65.0-r1.
Comment 5 Hans de Graaff gentoo-dev Security 2024-02-10 15:45:09 UTC 
commit d4946c5f8d3fa1aec5e5d4d3f64971d89958fde3
Author: Matt Turner <mattst88@gentoo.org>
Date:   Wed Jan 24 12:17:38 2024 -0500

    dev-lang/rust: Drop old versions