1217072 – (CVE-2023-47122) VUL-0: CVE-2023-47122: gitsign: Rekor public keys fetched from upstream API instead of local TUF client.

Bug 1217072 (CVE-2023-47122) - VUL-0: CVE-2023-47122: gitsign: Rekor public keys fetched from upstream API instead of local TUF client.

Summary: VUL-0: CVE-2023-47122: gitsign: Rekor public keys fetched from upstream API i...

Status:	RESOLVED FIXED

Alias:	CVE-2023-47122

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Johannes Kastl
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/384596/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-13 09:39 UTC by SMASH SMASH
Modified:	2023-11-13 09:40 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-13 09:39:37 UTC

Gitsign is software for keyless Git signing using Sigstore. In versions of
gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched
via the Rekor API, instead of through the local TUF client. If the upstream
Rekor server happened to be compromised, gitsign clients could potentially be
tricked into trusting incorrect signatures. There is no known compromise the
default public good instance (`rekor.sigstore.dev`) - anyone using this instance
is unaffected. This issue was fixed in v0.8.0. No known workarounds are
available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47122

Comment 1 Thomas Leroy 2023-11-13 09:40:24 UTC

Shipped in Factory only, which is already fixed. Closing