CVE-2022-2274

[RubenKelevra]

Checklist

• This is a bug report, not a question. Ask questions on discuss.ipfs.io.
• I have searched on the issue tracker for my bug.
• I am running the latest go-ipfs version or have an issue updating.

Installation method

ipfs-update or dist.ipfs.io

Version

No response

Config

No response

Description

Correct me if I'm wrong, but older versions of kubo did create RSA keys and OpenSSL can be compiled as crypto library.

If kubo created 2048 bit rsa keys in the past, it's likely that CVE-2022-2274 (remote code execution, severity: high) does affect kubo as well.
ipfs
A possible mitigation would be to either forbid starting with OpenSSL library if there's a 2048 bit rsa key found or forbid to compile with OpenSSL if the version is vulnerable.

[Jorropo]

@RubenKelevra no because no one worked on openssl in a while and so we do not support openssl v3 yet.
Thx for warning us but next time pls send an email to security@ipfs.io.

Someone sent a PR for openssl v3 here: libp2p/go-openssl#25 but I belive no one got the time to review it yet.

Also we dynamically link openssl, so even assuming we were susceptible you would only need to update openssl on your host, no changes required to Kubo.

PS: If you try go1.19 it now support borringssl (google's openssl fork) builtin which IMO is better than supporting a CGO lib ourself.

[RubenKelevra]

Well, it wasn't really related to IPFS itself and only an issue on custom builds, so I thought it's not a real security issue, just worth a heads-up :)

Thanks for the fast clarification, glad nobody is affected. :)

[Jorropo]

Well, it wasn't really related to IPFS itself and only an issue on custom builds, so I thought it's not a real security issue, just worth a heads-up

An RCE even on custom build deserve an email 🙂 if that would have been less important I guess it would have been fine.

glad nobody is affected

Because we are not update to date enough about that 🤣