890371 – (CVE-2022-46176) <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking

Bug 890371 (CVE-2022-46176) - <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking

Summary: <dev-lang/rust{-bin,}-1.66.1: cargo lacking ssh host key checking

Status:	RESOLVED FIXED

Alias:	CVE-2022-46176

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.openwall.com/lists/oss-se...
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:	890541
Blocks:
	Show dependency tree

Reported:	2023-01-10 22:24 UTC by John Helmert III
Modified:	2024-09-22 06:10 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-01-10 22:24:11 UTC

From URL:

"## Overview

When an SSH client establishes communication with a server, to prevent MITM
attacks the client should check whether it already communicated with that
server in the past and what the server's public key was back then. If the key
changed since the last connection, the connection must be aborted as a MITM
attack is likely taking place.

It was discovered that Cargo never implemented such checks, and performed no
validation on the server's public key, leaving Cargo users vulnerable to MITM
attacks."

Fix is in 1.66.1, but 1.66 patches are here:

https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176

Comment 1 Larry the Git Cow gentoo-dev

2023-01-11 20:46:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff393adcf173781fd00560a306f6597ead75208

commit bff393adcf173781fd00560a306f6597ead75208
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2023-01-11 20:35:46 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2023-01-11 20:40:09 +0000

    dev-lang/rust: add 1.66.1, drop 1.66.0
    
    Bug: https://bugs.gentoo.org/890371
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-lang/rust/Manifest                                   | 4 ++--
 dev-lang/rust/{rust-1.66.0.ebuild => rust-1.66.1.ebuild} | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

Comment 2 Georgy Yakovlev archtester

2023-01-11 20:51:28 UTC

no need for separate patches (because of -bin), I'll simply drop <1.66.1

was going to stabilize 1.66.x anyway.

Comment 3 John Helmert III archtester

2023-01-12 02:23:19 UTC

Thanks!

Comment 4 Hans de Graaff gentoo-dev

2023-10-08 10:40:45 UTC

Ping. Please clean up vulnerable versions rust-1.65.0 and rust-bin-1.65.0-r1.

Comment 5 Hans de Graaff gentoo-dev

2024-02-10 15:45:09 UTC

commit d4946c5f8d3fa1aec5e5d4d3f64971d89958fde3
Author: Matt Turner <mattst88@gentoo.org>
Date:   Wed Jan 24 12:17:38 2024 -0500

    dev-lang/rust: Drop old versions

Comment 6 Larry the Git Cow gentoo-dev

2024-09-22 06:09:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=99ed81387ba7dbcd82799c29cbe519ef1febcf69

commit 99ed81387ba7dbcd82799c29cbe519ef1febcf69
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 06:09:00 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 06:09:09 +0000

    [ GLSA 202409-07 ] Rust: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/890371
    Bug: https://bugs.gentoo.org/911685
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-07.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)