Bug ID 1232903
Summary VUL-0: CVE-2024-51746: gitsign: use of incorrect Rekor entries during online verification when multiple entries are returned by the log
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware Other
URL https://smash.suse.de/issue/427094/
OS Other
Status NEW
Severity Minor
Priority P5 - None
Component Security
Assignee opensuse_buildservice@ojkastl.de
Reporter smash_bz@suse.de
QA Contact security-team@suse.de
CC camila.matos@suse.com
Target Milestone ---
Found By Security Response Team
Blocker ---

Gitsign is a keyless Sigstore to signing tool for Git commits with your a
GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during
online verification when multiple entries are returned by the log. gitsign uses
Rekor's search API to fetch entries that apply to a signature being verified.
The parameters used for the search are the public key and the payload. The
search API returns entries that match either condition rather than both. When
gitsign's credential cache is used, there can be multiple entries that use the
same ephemeral keypair / signing certificate. As gitsign assumes both
conditions are matched by Rekor, there is no additional validation that the
entry's hash matches the payload being verified, meaning that the wrong entry
can be used to successfully pass verification. Impact is minimal as while
gitsign does not match the payload against the entry, it does ensure that the
certificate matches. This would need to be exploited during the certificate
validity window (10 minutes) by the key holder.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-51746
https://www.cve.org/CVERecord?id=CVE-2024-51746
https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx
https://bugzilla.redhat.com/show_bug.cgi?id=2323965


You are receiving this mail because: