Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 890371 (CVE-2022-46176) - <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking
Summary: <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking
Status: IN_PROGRESS
Alias: CVE-2022-46176
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 890541
Blocks:
  Show dependency tree
 
Reported: 2023-01-10 22:24 UTC by John Helmert III
Modified: 2024-02-11 06:00 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-10 22:24:11 UTC
From URL:

"## Overview

When an SSH client establishes communication with a server, to prevent MITM
attacks the client should check whether it already communicated with that
server in the past and what the server's public key was back then. If the key
changed since the last connection, the connection must be aborted as a MITM
attack is likely taking place.

It was discovered that Cargo never implemented such checks, and performed no
validation on the server's public key, leaving Cargo users vulnerable to MITM
attacks."

Fix is in 1.66.1, but 1.66 patches are here:

https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
Comment 1 Larry the Git Cow gentoo-dev 2023-01-11 20:46:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff393adcf173781fd00560a306f6597ead75208

commit bff393adcf173781fd00560a306f6597ead75208
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2023-01-11 20:35:46 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2023-01-11 20:40:09 +0000

    dev-lang/rust: add 1.66.1, drop 1.66.0
    
    Bug: https://bugs.gentoo.org/890371
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest                                   | 4 ++--
 dev-lang/rust/{rust-1.66.0.ebuild => rust-1.66.1.ebuild} | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 2 Georgy Yakovlev archtester gentoo-dev 2023-01-11 20:51:28 UTC
no need for separate patches (because of -bin), I'll simply drop <1.66.1

was going to stabilize 1.66.x anyway.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-12 02:23:19 UTC
Thanks!
Comment 4 Hans de Graaff gentoo-dev Security 2023-10-08 10:40:45 UTC
Ping. Please clean up vulnerable versions rust-1.65.0 and rust-bin-1.65.0-r1.
Comment 5 Hans de Graaff gentoo-dev Security 2024-02-10 15:45:09 UTC
commit d4946c5f8d3fa1aec5e5d4d3f64971d89958fde3
Author: Matt Turner <mattst88@gentoo.org>
Date:   Wed Jan 24 12:17:38 2024 -0500

    dev-lang/rust: Drop old versions