forking-renovate[bot]
commented
2 months ago ℹ Artifact update notice
File name: go.mod
In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):
- 8 additional dependencies were updated
Details:
| Package | Change |
|---|---|
github.com/sigstore/sigstore |
v1.8.7 -> v1.8.9 |
github.com/google/go-containerregistry |
v0.20.0 -> v0.20.2 |
github.com/docker/cli |
v24.0.7+incompatible -> v27.1.1+incompatible |
golang.org/x/crypto |
v0.25.0 -> v0.26.0 |
golang.org/x/net |
v0.26.0 -> v0.27.0 |
golang.org/x/sys |
v0.22.0 -> v0.23.0 |
golang.org/x/term |
v0.22.0 -> v0.23.0 |
golang.org/x/text |
v0.16.0 -> v0.17.0 |
This PR contains the following updates:
v0.5.1->v0.6.1GitHub Vulnerability Alerts
CVE-2024-45395
Impact
sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's security model labels this type of vulnerability an "Endless data attack," and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.
The vulnerable loops are in the verification functions in the package
github.com/sigstore/sigstore-go/pkg/verify. The first is the DSSE envelope verification loop inverifyEnvelopeWithArtifact, which decodes all the digests in an attestation can be found here:https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193
The next loop is in the
VerifyArtifactTransparencyLogfunction, which verifies all the signed entries in a bundle:https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178
The next loop is the
VerifyTimestampAuthorityfunction, which verifies all the RFC 3161 timestamps in a bundle:https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68
Patches
This vulnerability is addressed with sigstore-go 0.6.1, which adds hard limits to the number of verifiable data structures that can be processed in a bundle. Verification will fail if a bundle has data that exceeds these limits. The limits are:
These limits are intended to be high enough to accommodate the vast majority of use cases, while preventing the verification of maliciously crafted bundles that contain large amounts of verifiable data.
Workarounds
The best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or later. Users who are vulnerable but unable to quickly upgrade may consider adding manual bundle validation to enforce limits similar to those in the referenced patch prior to calling sigstore-go's verification functions.
Release Notes
sigstore/sigstore-go (github.com/sigstore/sigstore-go)
### [`v0.6.1`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.1) [Compare Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1) #### What's Changed v0.6.1 resolves a security advisory for a denial of service. See https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq for more information. - Add fuzz tests for bundle, tlog and verify packages by [@AdamKorcz](https://redirect.github.com/AdamKorcz) in [https://github.com/sigstore/sigstore-go/pull/272](https://redirect.github.com/sigstore/sigstore-go/pull/272) - Add the ability to contruct TrustRoot from targets by [@bkabrda](https://redirect.github.com/bkabrda) in [https://github.com/sigstore/sigstore-go/pull/247](https://redirect.github.com/sigstore/sigstore-go/pull/247) - add oss-fuzz build script by [@AdamKorcz](https://redirect.github.com/AdamKorcz) in [https://github.com/sigstore/sigstore-go/pull/278](https://redirect.github.com/sigstore/sigstore-go/pull/278) - Fix proof of key possession generation by [@adityasaky](https://redirect.github.com/adityasaky) in [https://github.com/sigstore/sigstore-go/pull/283](https://redirect.github.com/sigstore/sigstore-go/pull/283) - Add additional validation for nil elements in Bundles by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/285](https://redirect.github.com/sigstore/sigstore-go/pull/285) - Add hard limits for number of TSA entries, Tlog entries, and attestation subjects/digests by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/286](https://redirect.github.com/sigstore/sigstore-go/pull/286) **Full Changelog**: https://github.com/sigstore/sigstore-go/compare/v0.6.0...v0.6.1 ### [`v0.6.0`](https://redirect.github.com/sigstore/sigstore-go/releases/tag/v0.6.0) [Compare Source](https://redirect.github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0) As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes. Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0. #### Breaking Changes - In `pkg/bundle/bundle.go` - `ProtobufBundle` is now `Bundle` - `NewProtobufBundle` is now `NewBundle` - In `pkg/bundle/signature_content.go` - Use `Statement()` type was from `github.com/in-toto/in-toto-golang/in_toto` now comes from `github.com/in-toto/attestation/go/v1` #### What's Changed - feat: add support for additional transparency log key types by [@vishal-chdhry](https://redirect.github.com/vishal-chdhry) in [https://github.com/sigstore/sigstore-go/pull/197](https://redirect.github.com/sigstore/sigstore-go/pull/197) - feat: use GetLogEntryByIndex to query rekor by [@vishal-chdhry](https://redirect.github.com/vishal-chdhry) in [https://github.com/sigstore/sigstore-go/pull/188](https://redirect.github.com/sigstore/sigstore-go/pull/188) - feat: add validation of required fields in the bundle by [@vishal-chdhry](https://redirect.github.com/vishal-chdhry) in [https://github.com/sigstore/sigstore-go/pull/189](https://redirect.github.com/sigstore/sigstore-go/pull/189) - Rename ProtobufBundle to Bundle by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/251](https://redirect.github.com/sigstore/sigstore-go/pull/251) - Fix verify DSSE bundles (after signing) by [@steiza](https://redirect.github.com/steiza) in [https://github.com/sigstore/sigstore-go/pull/258](https://redirect.github.com/sigstore/sigstore-go/pull/258) - Fix crash with missing checkpoint by [@haydentherapper](https://redirect.github.com/haydentherapper) in [https://github.com/sigstore/sigstore-go/pull/260](https://redirect.github.com/sigstore/sigstore-go/pull/260) - Add file pattern to CODEOWNERS by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/269](https://redirect.github.com/sigstore/sigstore-go/pull/269) - Use example.com and remove trademark from tests by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/267](https://redirect.github.com/sigstore/sigstore-go/pull/267) - Add deprecation message for ProtobufBundle by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/271](https://redirect.github.com/sigstore/sigstore-go/pull/271) - Switch in-toto library to github.com/in-toto/attestation by [@codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/sigstore/sigstore-go/pull/274](https://redirect.github.com/sigstore/sigstore-go/pull/274) **Full Changelog**: https://github.com/sigstore/sigstore-go/compare/v0.5.1...v0.6.0Configuration
📅 Schedule: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.