Bug 1217072 (CVE-2023-47122)

Summary: VUL-0: CVE-2023-47122: gitsign: Rekor public keys fetched from upstream API instead of local TUF client.
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Johannes Kastl <opensuse_buildservice>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: thomas.leroy
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/384596/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-13 09:39:37 UTC 
Gitsign is software for keyless Git signing using Sigstore. In versions of
gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched
via the Rekor API, instead of through the local TUF client. If the upstream
Rekor server happened to be compromised, gitsign clients could potentially be
tricked into trusting incorrect signatures. There is no known compromise the
default public good instance (`rekor.sigstore.dev`) - anyone using this instance
is unaffected. This issue was fixed in v0.8.0. No known workarounds are
available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47122
Comment 1 Thomas Leroy 2023-11-13 09:40:24 UTC 
Shipped in Factory only, which is already fixed. Closing