flux-build
flux-build copied to clipboard
chore(deps): update module github.com/sigstore/cosign to v2 [security]
This PR contains the following updates:
Package | Change | Age | Adoption | Passing | Confidence |
---|---|---|---|---|---|
github.com/sigstore/cosign | v1.13.6 -> v2.2.4 |
Cosign malicious artifacts can cause machine-wide DoS
BIT-cosign-2024-29903 / CVE-2024-29903 / GHSA-95pr-fxf5-86gv
More information
Details
Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates.
As an example, these lines demonstrate the problem:
https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
This Get()
method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice.
The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests.
Remediation
Update to the latest version of Cosign, where the number of attestations, signatures and manifests has been limited to a reasonable value.
Cosign PoC
In the case of this API (also referenced above):
https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
… The first line can contain a length that is safe for the system and will not throw a runtime panic or be blocked by other safety mechanisms. For the sake of argument, let’s say that the length of m, err := s.Manifest()
is the max allowed (by the machine without throwing OOM panics) manifests minus 1. When Cosign then allocates a new slice on this line: signatures := make([]oci.Signature, 0, len(m.Layers))
, Cosign will allocate more memory than is available and the machine will be denied of service, causing Cosign and all other services on the machine to be unavailable.
To illustrate the issue here, we run a modified version of TestSignedImageIndex()
in pkg/oci/remote
:
https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57
Here, wantLayers
is the number of manifests from these lines:
https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60
To test this, we want to make wantLayers
high enough to not cause a memory on its own but still trigger the machine-wide OOM when a slice gets create with the same length. On my local machine, it would take hours to create a slice of layers that fulfils that criteria, so instead I modify the Cosign production code to reflect a long list of manifests:
// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
m, err := s.Manifest()
if err != nil {
return nil, err
}
// Here we imitate a long list of manifests
ms := make([]byte, 2600000000) // imitate a long list of manifests
signatures := make([]oci.Signature, 0, len(ms))
panic("Done")
//signatures := make([]oci.Signature, 0, len(m.Layers))
for _, desc := range m.Layers {
With this modified code, if we can cause an OOM without triggering the panic("Done")
, we have succeeded.
Severity
- CVSS Score: 4.2 / 10 (Medium)
- Vector String:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
References
- https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv
- https://nvd.nist.gov/vuln/detail/CVE-2024-29903
- https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
- https://github.com/sigstore/cosign
- https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955
- https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
- https://github.com/sigstore/cosign/releases/tag/v2.2.4
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Cosign malicious attachments can cause system-wide denial of service
BIT-cosign-2024-29902 / CVE-2024-29902 / GHSA-88jx-383q-w4qc
More information
Details
Summary
A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.
Details
The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a SIGKILL
after a few seconds of system-wide denial.
The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below:
https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239
...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of f *attached
, go-containerregistry will invoke this API:
https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
// We don't want to log binary layers -- this can break terminals.
ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
Notice that the second argument to rl.fetcher.fetchBlob
is verify.SizeUnknown
which results in not using the io.LimitReader
in verify.ReadCloser
:
https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
w, err := v1.Hasher(h.Algorithm)
if err != nil {
return nil, err
}
r2 := io.TeeReader(r, w) // pass all writes to the hasher.
if size != SizeUnknown {
r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
}
return &and.ReadCloser{
Reader: &verifyReader{
inner: r2,
hasher: w,
expected: h,
wantSize: size,
},
CloseFunc: r.Close,
}, nil
}
Impact
This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer.
Remediation
Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value.
Severity
- CVSS Score: 4.2 / 10 (Medium)
- Vector String:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
References
- https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc
- https://nvd.nist.gov/vuln/detail/CVE-2024-29902
- https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
- https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
- https://github.com/sigstore/cosign
- https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239
- https://github.com/sigstore/cosign/releases/tag/v2.2.4
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
sigstore/cosign (github.com/sigstore/cosign)
v2.2.4
Bug Fixes
- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#3661)
- ErrNoSignaturesFound should be used when there is no signature attached to an image. (#3526)
- fix semgrep issues for dgryski.semgrep-go ruleset (#3541)
- Honor creation timestamp for signatures again (#3549)
Features
- Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#3578)
Documentation
- add oci bundle spec (#3622)
- Correct help text of triangulate cmd (#3551)
- Correct help text of verify-attestation policy argument (#3527)
- feat: add OVHcloud MPR registry tested with cosign (#3639)
Testing
- Refactor e2e-tests.yml workflow (#3627)
- Clean up and clarify e2e scripts (#3628)
- Don't ignore transparency log in tests if possible (#3528)
- Make E2E tests hermetic (#3499)
- add e2e test for pkcs11 token signing (#3495)
v2.2.3
Bug Fixes
- Fix race condition on verification with multiple signatures attached to image (#3486)
- fix(clean): Fix clean cmd for private registries (#3446)
- Fixed BYO PKI verification (#3427)
Features
- Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#3466)
- Add support for OpenVEX predicate type (#3405)
Documentation
- Resolves #3088:
version
sub-command expected behaviour documentation and testing (#3447) - add examples for cosign attach signature cmd (#3468)
Misc
Contributors
- aalsabag
- Bob Callaway
- Carlos Tadeu Panato Junior
- Colleen Murphy
- Hayden B
- Mukuls77
- Omri Bornstein
- Puerco
- vivek kumar sahu
v2.2.2
v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev
, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z
without a shell.
For private deployments, we have also added an alias for --insecure-skip-log
, --private-infrastructure
.
Bug Fixes
- chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#3411) which fixes a bug with using Azure KMS
- Don't require CT log keys if using a key/sk (#3415)
- Fix copy without any flag set (#3409)
- Update cosign generate cmd to not include newline (#3393)
- Fix idempotency error with signing (#3371)
Features
- Add
--yes
flagcosign import-key-pair
to skip the overwrite confirmation. (#3383) - Use the timeout flag value in verify* commands. (#3391)
- add --private-infrastructure flag (#3369)
Container Updates
- Bump builder image to use go1.21.4 and add new cosign image tags with shell (#3373)
Documentation
- Update SBOM_SPEC.md (#3358)
Contributors
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Hayden B
- Lily Sturmann
- Nikos Fotiou
- Yonghe Zhao
v2.2.1
Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP
Enhancements
- feat: Support basic auth and bearer auth login to registry (#3310)
- add support for ignoring certificates with pkcs11 (#3334)
- Support ReplaceOp in Signatures (#3315)
- feat: added ability to get image digest back via triangulate (#3255)
- feat: add
--only
flag incosign copy
to copy sign, att & sbom (#3247) - feat: add support attaching a Rekor bundle to a container (#3246)
- feat: add support outputting rekor response on signing (#3248)
- feat: improve dockerfile verify subcommand (#3264)
- Add guard flag for experimental OCI 1.1 verify. (#3272)
- Deprecate SBOM attachments (#3256)
- feat: dedent line in cosign copy doc (#3244)
- feat: add platform flag to cosign copy command (#3234)
- Add SLSA 1.0 attestation support to cosign. Closes #2860 (#3219)
- attest: pass OCI remote opts to att resolver. (#3225)
Bug Fixes
- Merge pull request from GHSA-vfp6-jrw2-99g9
- fix: allow cosign download sbom when image is absent (#3245)
- ci: add a OCI registry test for referrers support (#3253)
- Fix ReplaceSignatures (#3292)
- Stop using deprecated in_toto.ProvenanceStatement (#3243)
- Fixes #3236, disable SCT checking for a cosign verification when usin… (#3237)
- fix: update error in
SignedEntity
to be more descriptive (#3233) - Fail timestamp verification if no root is provided (#3224)
Documentation
- Add some docs about verifying in an air-gapped environment (#3321)
- Update CONTRIBUTING.md (#3268)
- docs: improves the Contribution guidelines (#3257)
- Remove security policy (#3230)
Others
- Set go to min 1.21 and update dependencies (#3327)
- Update contact for code of conduct (#3266)
- Update .ko.yaml (#3240)
Contributors
- AdamKorcz
- Andres Galante
- Appu
- Billy Lynch
- Bob Callaway
- Caleb Woodbine
- Carlos Tadeu Panato Junior
- Dylan Richardson
- Gareth Healy
- Hayden B
- John Kjell
- Jon Johnson
- jonvnadelberg
- Luiz Carvalho
- Priya Wadhwa
- Ramkumar Chinchani
- Tosone
- Ville Aikas
- Vishal Choudhary
- ziel
v2.2.0
Enhancements
- switch to uploading DSSE types to rekor instead of intoto (#3113)
- add 'cosign sign' command-line parameters for mTLS (#3052)
- improve error messages around bundle != payload hash (#3146)
- make VerifyImageAttestation function public (#3156)
- Switch to cryptoutils function for SANS (#3185)
- Handle HTTP_1_1_REQUIRED errors in github provider (#3172)
Bug Fixes
- Fix nondeterminsitic timestamps (#3121)
Documentation
- doc: Add example of sign-blob with key in env var (#3152)
- add deprecation notice for cosign-releases GCS bucket (#3148)
- update doc links (#3186)
Others
- Upgrade to go1.21 (#3188)
- Updates ci tests (#3142)
- test using latest release of scaffolding (#3187)
- ci: free up disk space for the gh runner (#3169)
- update go-github to v53 (#3116)
- call e2e test for cosign attach (#3112)
- bump build cross to use go1.20.6 and cosign image to 2.1.1 (#3108)
Contributors
- Bob Callaway
- Carlos Tadeu Panato Junior
- Dmitry Savintsev
- Hayden B
- Hector Fernandez
- Jason Hall
- Jon Johnson
- Jubril Oyetunji
- Paulo Gomes
- Priya Wadhwa
- 张志强
v2.1.1
Bug Fixes
- wait for the workers become available again to continue the execution (#3084)
- fix help text when in a container (#3082)
Documentation
Contributors
- Carlos Tadeu Panato Junior
- priyawadhwa
v2.1.0
Breaking Change: The predicate is now a required flag in the attest commands, set via the --type flag.
Enhancements
- Verify sigs and attestations in parallel (#3066)
- Deep inspect attestations when filtering download (#3031)
- refactor bundle validation code, add support for DSSE rekor type (#3016)
- Allow overriding remote options (#3049)
- feat: adds no cert found on sig exit code (#3038)
- Make predicate a required flag in attest commands (#3033)
- Added support for attaching Time stamp authority Response in attach command (#3001)
- Add
sign --sign-container-identity
CLI (#2984) - Feature: Allow cosign to sign digests before they are uploaded. (#2959)
- accepts
attachment-tag-prefix
forcosign copy
(#3014) - Feature: adds '--allow-insecure-registry' for cosign load (#3000)
- download attestation: support --platform flag (#2980)
- Cleanup: Add
Digest
to theSignedEntity
interface. (#2960) - verify command: support keyless verification using only a provided certificate chain with non-fulcio roots (#2845)
- verify: use workers to limit the paralellism when verifying images with --max-workers flag (#3069)
Bug Fixes
- Fix pkg/cosign/errors (#3050)
- fix: update doc to refer to github-actions oidc provider (#3040)
- fix: prefer GitHub OIDC provider if enabled (#3044)
- Fix --sig-only in cosign copy (#3074)
Documentation
Contributors
Thank you to our contributors!
- Bob Callaway
- Carlos Tadeu Panato Junior
- Chok Yip Lau
- Chris Burns
- Dmitry Savintsev
- Enyinna Ochulor
- Hayden B
- Hector Fernandez
- Jakub Hrozek
- Jason Hall
- Jon Johnson
- Luiz Carvalho
- Matt Moore
- Mritunjay Kumar Sharma
- Mukuls77
- Ramkumar Chinchani
- Sascha Grunert
- Yolanda Robla Mota
- priyawadhwa
v2.0.2
Enhancements
- Update sigstore/sigstore to v1.6.2 to pick up TUF CDN change (#2891)
- feat: Make cosign copy faster (#2901)
- remove sget (#2885)
- Require a payload to be provided with a signature (#2785)
Bug Fixes
- cmd: Change error message from KeyParseError to PubKeyParseError for verify-blob. (#2876)
- Use
SOURCE_DATE_EPOCH
for OCI CreatedAt times (#2878)
Documentation
- Remove experimental warning from Fulcio flags (#2923)
- add missing oidc provider (#2922)
- Add zot as a supported registry (#2920)
- deprecates
kms_support
docs (#2900) - chore(docs) deprecate note for usage docs (#2906)
- adds note of deprecation for examples.md docs (#2899)
Contributors
- Carlos Tadeu Panato Junior
- Chris Burns
- Dmitry Savintsev
- eiffel-fl
- Hayden B
- Hector Fernandez
- Jon Johnson
- Miloslav Trmač
- priyawadhwa
- Ramkumar Chinchani
v2.0.1
Enhancements
- Add environment variable token provider (#2864)
- Remove cosign policy command (#2846)
- Allow customising 'go' executable with GOEXE var (#2841)
- Consistent tlog warnings during verification (#2840)
- Add riscv64 arch (#2821)
- Default generated PEM labels to SIGSTORE (#2735)
- Update privacy statement and confirmation (#2797)
- Add exit codes for verify errors (#2766)
- Add Buildkite provider (#2779)
- verify-blob-attestation: Loosen arg requirements if --check-claims=false (#2746)
Bug Fixes
- PKCS11 sessions are now opened read only (#2853)
- Makefile: date format of log should not show signatures (#2835)
- Add missing flags to cosign verify dockerfile/manifest (#2830)
- Add a warning to remember how to configure a custom Gitlab host (#2816)
- Remove tag warning message from save/copy commands (#2799)
- Mark keyless pem files with b64 (#2671)
Contributors
- Aleksandr Razumov
- Batuhan Apaydın
- Billy Lynch
- Carlos Tadeu Panato Junior
- Chris Burns
- Derek Burdick
- Dmitry Savintsev
- favonia
- Hayden B
- Hector Fernandez
- Ivana Atanasova
- joe miller
- Luiz Carvalho
- Paolo Mainardi
- priyawadhwa
- Radoslav Dimitrov
- Steve Winslow
- Vincent Batts
- Zack Newman
v2.0.0
This is the official 2.0.0 release of cosign! There are many new features and breaking changes from version 1.x, for a full explanation please read the Cosign 2.0 blog post.
Breaking Changes
-
COSIGN_EXPERIMENTAL=1
is no longer required to have identity-based ("keyless") signing and transparency. - By default, artifact signatures will be uploaded to Rekor, for both key-based and identity-based signing. To not upload to Rekor, include
--tlog-upload=false
.- You must also include
--insecure-ignore-tlog=true
when verifying an artifact that was not uploaded to Rekor. - Examples of when you may want to skip uploading to the transparency log are if you have a private Sigstore deployment that does not use transparency or a private artifact.
- We strongly encourage all other use-cases to upload artifact signatures to Rekor. Transparency is a critical component of supply chain security, to allow artifact maintainers and consumers to monitor a public log for their artifacts and signing identities.
- You must also include
- Verification now requires identity flags,
--certificate-identity
and--certificate-oidc-issuer
. Like verifying a signature with a public key, it's critical to specify who you trust to generate a signature for identity-based signing. See #2056 for more discussion on this change. - --certificate-email has been removed. Use --certificate-identity, which supports not only email verification but also any identity specified in a certificate, including SPIFFE, GitHub Actions, or service account identities.
- Cosign no longer supports providing a certificate that does not conform to the Fulcio certificate profile, which includes setting the SubjectAlternativeName and OIDC Issuer OID. To verify with a non-conformant certificate, extract the public key from the certificate and verify with
cosign verify --key <key.pem>
. We are actively working on more support for custom certificates for those who want to bring their existing PKI. - Signing OCI images by tag prints a warning and is strongly discouraged, e.g.
cosign sign container.registry.io/foo:tag
. This is considered insecure since tags are mutable. If you want to specify a particular image, you are recommended to do so by digest. - SCT verification, a proof of inclusion in a certificate transparency log, is now on by default for verifying Fulcio certificates. For private deployments without certificate transparency, use
--insecure-ignore-sct=true
to skip this check. - DSSE support in verify-blob has been removed. You can now verify attestations using verify-blob-attestation.
- Environment variable
SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
has been removed. For private deployments, if you would like to set the Rekor public key to verify transparency log entries, use either a TUF setup or setSIGSTORE_REKOR_PUBLIC_KEY
with the PEM of the custom Rekor public key.. - verify-blob no longer searches for a certificate. You must provide one with either
--certificate
or--bundle
. -
cosign attest --type {custom|vuln}
(andcosign verify-attestation
) will now use the RFC 3986 compliant URIs, adding https://, so that these predicate types are compliant with the in-toto specification. - The CosignPredicate envelope that wraps the predicates of SPDX and CycloneDX attestations has been removed, which was a violation of the schema specified via the predicateType field (more information).
-
--force
has been removed. To skip any prompts, use--yes
.
Improvements
- Blob attestation and verification is now supported with cosign attest-blob and cosign verify-blob-attestation.
- You can now set flags via environment variables, for example instead of
--certificate-identity=email
, you can set an environment variable forCOSIGN_CERTIFICATE_IDENTITY=email
. -
--offline=true
removes the fallback to the Rekor log when verifying an artifact. Previously, if you did not provide a bundle (a persisted response from Rekor), Cosign would fallback to querying Rekor. You can now skip this fallback for offline environments. Note that if the bundle fails to verify, Cosign will not fallback and will fail early. - A Fulcio certificate can now be issued for self-managed keys by providing
--issue-certificate=true
with a key,--key
, or security key,--sk
. This is useful when adopting Sigstore incrementally. - Experimental support for trusted timestamping has been added. Timestamping leverages a third party to provide the timestamp that will be used to verify short-lived Fulcio certificates, which distributes trust. We will be writing more about this in an upcoming blog post!
- To use a timestamp when signing a container, use
cosign sign --timestamp-server-url=<url> <container>
, such as https://freetsa.org/tsr, and to verify,cosign verify --timestamp-certificate-chain=<path-to-PEM-encodeded-chain> <other flags> <artifact>
. - To use a timestamp when signing a blob, use
cosign sign-blob --timestamp-server-url=<url> --rfc3161-timestamp=<output-path> --bundle=<output-path> <blob>
, and to verify,cosign verify-blob --rfc3161-timestamp=<output-path> --timestamp-certificate-chain=<path-to-PEM-encoded-chain> --bundle=<output-path> <other flags> <blob>
.
- To use a timestamp when signing a container, use
For specific PRs representing enhancements, bug fixes, documentation, and breaking changes, please see the sections below for prereleases v2.0.0-rc.0, v2.0.0-rc.1, v2.0.0-rc.2, and v2.0.0-rc.3.
Thanks to all contributors!
- Anish Shah
- Arnaud J Le Hors
- Arthur Lutz
- Batuhan Apaydın
- Bob Callaway
- Carlos Tadeu Panato Junior
- Chris Burns
- Christian Loos
- Emmanuel T Odeke
- Hayden B
- Hector Fernandez
- Huang Huang
- Jan Wozniak
- Josh Dolitsky
- Josh Wolf
- Kenny Leung
- Marko Mudrinić
- Matt Moore
- Matthias Glastra
- Miloslav Trmač
- Mukuls77
- Priya Wadhwa
- Puerco
- Stefan Zhelyazkov
- Tim Seagren
- Tom Meadows
- Ville Aikas
- Zack Newman
- asraa
- kpk47
- priyawadhwa
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.