Headline
CVE-2023-22742: Merge pull request #6450 from libgit2/1.5_ssh · libgit2/libgit2@42e5db9
libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check
field of libgit2’s git_remote_callbacks
structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.
@@ -6,7 +6,7 @@
cmake_minimum_required(VERSION 3.5.1)
project(libgit2 VERSION “1.5.0” LANGUAGES C)
project(libgit2 VERSION “1.5.1” LANGUAGES C)
Add find modules to the path
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} “${PROJECT_SOURCE_DIR}/cmake”)
@@ -144,6 +144,11 @@ if [ -z “$SKIP_SSH_TESTS” ]; then
echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts"
done <"${SSHD_DIR}/id_rsa.pub"
Append the github.com keys for the tests that don’t override checks.
We ask for ssh-rsa to test that the selection based off of known_hosts
is working.
ssh-keyscan -t ssh-rsa github.com >>"${HOME}/.ssh/known_hosts"
Get the fingerprint for localhost and remove the colons so we can
parse it as a hex number. Older versions have a different output
format.
@@ -1,3 +1,14 @@
v1.5.1
------
🔒 This is a security release to address CVE-2023-22742: when compiled using the optional, included libssh2 backend, libgit2 fails to verify SSH keys by default.
When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2’s `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
All users of the v1.5 release line are recommended to upgrade.
v1.5
----
@@ -11,7 +11,7 @@
* The version string for libgit2. This string follows semantic
* versioning (v2) guidelines.
*/
#define LIBGIT2_VERSION “1.5.0”
#define LIBGIT2_VERSION “1.5.1”
/** The major version number for this version of libgit2. */
#define LIBGIT2_VER_MAJOR 1
@@ -20,7 +20,7 @@
#define LIBGIT2_VER_MINOR 5
/** The revision (“teeny”) version number for this version of libgit2. */
#define LIBGIT2_VER_REVISION 0
#define LIBGIT2_VER_REVISION 1
/** The Windows DLL patch number for this version of libgit2. */
#define LIBGIT2_VER_PATCH 0
@@ -1,6 +1,6 @@
{
"name": "libgit2",
"version": "1.5.0",
"version": "1.5.1",
"repo": "https://github.com/libgit2/libgit2",
"description": " A cross-platform, linkable library implementation of Git that you can use in your application.",
"install": “mkdir build && cd build && cmake … && cmake --build .”
0 comments on commit 42e5db9
Please sign in to comment.
Related news
Gentoo Linux Security Advisory 202411-5 - Multiple vulnerabilities have been discovered in libgit2, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.7.2 are affected.
Ubuntu Security Notice 6678-1 - It was discovered that libgit2 mishandled equivalent filenames on NTFS partitions. If a user or automated system were tricked into cloning a specially crafted repository, an attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that libgit2 did not perform certificate checking by default. An attacker could possibly use this issue to perform a machine-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.