Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 875869 (CVE-2022-39237) - <app-containers/apptainer-1.1.2: digital-signature hash algorithms not validated
Summary: <app-containers/apptainer-1.1.2: digital-signature hash algorithms not validated
Status: RESOLVED FIXED
Alias: CVE-2022-39237
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/apptainer/apptaine...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 875872
Blocks:
  Show dependency tree
 
Reported: 2022-10-07 14:19 UTC by Marek Szuba (RETIRED)
Modified: 2022-10-31 02:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba (RETIRED) archtester gentoo-dev 2022-10-07 14:19:05 UTC
The go module "sif" version 2.8.0 and older does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

I may be wrong (not in the least because now that we mostly rely self-built dependency tarballs for dependencies of Go software it is not trivial to find out what those dependencies actually are) but it seems the only affected package in the tree is app-containers/apptainer, in which case an update to version 1.1.2 - which bundles sif-2.8.1 - or newer is in order.

I am currently build-testing apptainer-1.1.2. Once pushed, it will have to be fast-tracked through stabilisation so that all vulnerable versions can be removed from the tree.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-07 14:27:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f08746e6fcb72a07689f90aac50c826deda6392

commit 9f08746e6fcb72a07689f90aac50c826deda6392
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2022-10-07 14:21:42 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2022-10-07 14:21:42 +0000

    app-containers/apptainer: add 1.1.2, drop 1.1.0
    
    Bug: https://bugs.gentoo.org/875869
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 app-containers/apptainer/Manifest                                       | 2 +-
 .../apptainer/{apptainer-1.1.0.ebuild => apptainer-1.1.2.ebuild}        | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-07 14:35:40 UTC
Thanks for reporting!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-08 13:38:43 UTC
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-10-08 19:27:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c124743140c0abd7c4c776c1fa087ced2a36cb69

commit c124743140c0abd7c4c776c1fa087ced2a36cb69
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2022-10-08 19:23:50 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2022-10-08 19:27:26 +0000

    app-containers/apptainer: drop 1.0.3
    
    No versions vulnerable to CVE-2022-39237 left in the tree.
    
    Bug: https://bugs.gentoo.org/875869
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 app-containers/apptainer/Manifest               |  1 -
 app-containers/apptainer/apptainer-1.0.3.ebuild | 67 -------------------------
 2 files changed, 68 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-08 19:53:26 UTC
Thanks!

Can you offer any commentaryon how exploitable this is?
Comment 6 Marek Szuba (RETIRED) archtester gentoo-dev 2022-10-08 20:39:48 UTC
Quite easy, I would say - sign a benign image using a weak algorithm, get your target to start using it, quietly replace the image contents with malicious payload that produces the same signatures, pwned.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-08 21:24:37 UTC
Thanks, we will indeed GLSA this then.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 18:24:52 UTC
GLSA request filed
Comment 9 Larry the Git Cow gentoo-dev 2022-10-31 01:42:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c82e528af1807b8f557d3b3dee8219380c688f4c

commit c82e528af1807b8f557d3b3dee8219380c688f4c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:13:42 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:15 +0000

    [ GLSA 202210-19 ] Apptainer: Lack of Digital Signature Hash Verification
    
    Bug: https://bugs.gentoo.org/875869
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:18:49 UTC
GLSA released, all done!