fix(deps): update module github.com/sigstore/sigstore-go to v0.6.1 [security] #805
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate-bot
force-pushed
the
renovate/go-github.com-sigstore-sigstore-go-vulnerability
branch
from
35ba5e3
to
0eadd02
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.5.1->v0.6.1GitHub Vulnerability Alerts
CVE-2024-45395
Impact
sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's security model labels this type of vulnerability an "Endless data attack," and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.
The vulnerable loops are in the verification functions in the package
github.com/sigstore/sigstore-go/pkg/verify. The first is the DSSE envelope verification loop inverifyEnvelopeWithArtifact, which decodes all the digests in an attestation can be found here:https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193
The next loop is in the
VerifyArtifactTransparencyLogfunction, which verifies all the signed entries in a bundle:https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tlog.go#L74-L178
The next loop is the
VerifyTimestampAuthorityfunction, which verifies all the RFC 3161 timestamps in a bundle:https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/tsa.go#L59-L68
Patches
This vulnerability is addressed with sigstore-go 0.6.1, which adds hard limits to the number of verifiable data structures that can be processed in a bundle. Verification will fail if a bundle has data that exceeds these limits. The limits are:
These limits are intended to be high enough to accommodate the vast majority of use cases, while preventing the verification of maliciously crafted bundles that contain large amounts of verifiable data.
Workarounds
The best way to mitigate the risk is to upgrade to sigstore-go 0.6.1 or later. Users who are vulnerable but unable to quickly upgrade may consider adding manual bundle validation to enforce limits similar to those in the referenced patch prior to calling sigstore-go's verification functions.
Release Notes
sigstore/sigstore-go (github.com/sigstore/sigstore-go)
v0.6.1Compare Source
What's Changed
v0.6.1 resolves a security advisory for a denial of service. See GHSA-cq38-jh5f-37mq for more information.
Full Changelog: sigstore/sigstore-go@v0.6.0...v0.6.1
v0.6.0Compare Source
As folks use sigstore-go in more cases, we continue to make fixes and do some minor API interface changes.
Because we are pre-1.0.0 these were made as breaking changes. After 1.0.0 we will provide deprecation notices and smoother migration paths. There may be more minor interface changes between now and v1.0.0.
Breaking Changes
pkg/bundle/bundle.goProtobufBundleis nowBundleNewProtobufBundleis nowNewBundlepkg/bundle/signature_content.goStatement()type was fromgithub.com/in-toto/in-toto-golang/in_totonow comes fromgithub.com/in-toto/attestation/go/v1What's Changed
Full Changelog: sigstore/sigstore-go@v0.5.1...v0.6.0
Configuration
📅 Schedule: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.