Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/sigstore/rekor: CVE-2023-30551 #1762

Closed
GoVulnBot opened this issue May 8, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/sigstore/rekor: CVE-2023-30551 #1762

GoVulnBot opened this issue May 8, 2023 · 2 comments
Assignees
@jba
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-30551 references github.com/sigstore/rekor, which may be a Go module.

Description:
Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/sigstore/rekor
    packages:
      - package: rekor
description: |
    Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
cves:
  - CVE-2023-30551
references:
  - advisory: https://github.com/sigstore/rekor/security/advisories/GHSA-2h5h-59f5-c5x9
  - fix: https://github.com/sigstore/rekor/commit/cf42ace82667025fe128f7a50cf6b4cdff51cc48
  - web: https://github.com/sigstore/rekor/releases/tag/v1.1.1
@jba
Copy link
Contributor

jba commented May 9, 2023

The main artifact is a binary.
The fix PR includes code in two packages, pkg/types/alpine and pkg/types/jar, neither of which has any importers.

@jba jba self-assigned this May 9, 2023
@jba jba added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. duplicate and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels May 9, 2023
@jba
Copy link
Contributor

jba commented May 9, 2023

Duplicate of #1754

@jba jba marked this as a duplicate of #1754 May 9, 2023
@jba jba closed this as completed May 9, 2023
@RafalKorepta RafalKorepta mentioned this issue Jun 6, 2023
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jba jba

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jba @GoVulnBot