chore(deps): update dependency ddworken/hishtory to v0.325

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
ddworken/hishtory	minor	0.324 -> 0.325

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

ddworken/hishtory (ddworken/hishtory)

v0.325

Compare Source

What's Changed

• Skip exporting empty commands for #​279 by @​ddworken in https://github.com/ddworken/hishtory/pull/281
• Allow import-json to import custom columns by @​ddworken in https://github.com/ddworken/hishtory/pull/282
• Update bash weirdness regex to be more permissive for #​280 by @​ddworken in https://github.com/ddworken/hishtory/pull/283
• Fix test golden breakage caused by GH action update by @​ddworken in https://github.com/ddworken/hishtory/pull/284

Full Changelog: ddworken/hishtory@v0.324...v0.325

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/hishtory:0.325

📦 Image Reference ghcr.io/uniget-org/tools/hishtory:0.325

digest	sha256:50486e7a38afa5bc31d1b4b0bf37fa0c53d51710905de4ab99354232549b9afa
vulnerabilities
platform	linux/amd64
size	60 MB
packages	238

golang.org/x/net 0.28.0 (golang) pkg:golang/golang.org/x/[email protected] Allocation of Resources Without Limits or Throttling Affected range <0.33.0 Fixed version 0.33.0 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Description An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

github.com/theupdateframework/go-tuf 0.7.0 (golang) pkg:golang/github.com/theupdateframework/[email protected] Affected range >=0 Fixed version Not Fixed Description Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

github.com/sigstore/cosign 1.13.6 (golang) pkg:golang/github.com/sigstore/[email protected] Allocation of Resources Without Limits or Throttling Affected range <=2.2.3 Fixed version Not Fixed CVSS Score 4.2 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H Description Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. As an example, these lines demonstrate the problem: https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70 This Get() method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice. The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. Remediation Update to the latest version of Cosign, where the number of attestations, signatures and manifests has been limited to a reasonable value. Cosign PoC In the case of this API (also referenced above): https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70 … The first line can contain a length that is safe for the system and will not throw a runtime panic or be blocked by other safety mechanisms. For the sake of argument, let’s say that the length of m, err := s.Manifest() is the max allowed (by the machine without throwing OOM panics) manifests minus 1. When Cosign then allocates a new slice on this line: signatures := make([]oci.Signature, 0, len(m.Layers)), Cosign will allocate more memory than is available and the machine will be denied of service, causing Cosign and all other services on the machine to be unavailable. To illustrate the issue here, we run a modified version of TestSignedImageIndex() in pkg/oci/remote: https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57 Here, wantLayers is the number of manifests from these lines: https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60 To test this, we want to make wantLayers high enough to not cause a memory on its own but still trigger the machine-wide OOM when a slice gets create with the same length. On my local machine, it would take hours to create a slice of layers that fulfils that criteria, so instead I modify the Cosign production code to reflect a long list of manifests: // Get implements oci.Signatures func (s *sigs) Get() ([]oci.Signature, error) { m, err := s.Manifest() if err != nil { return nil, err } // Here we imitate a long list of manifests ms := make([]byte, 2600000000) // imitate a long list of manifests signatures := make([]oci.Signature, 0, len(ms)) panic("Done") //signatures := make([]oci.Signature, 0, len(m.Layers)) for _, desc := range m.Layers { With this modified code, if we can cause an OOM without triggering the panic("Done"), we have succeeded. Allocation of Resources Without Limits or Throttling Affected range <=2.2.3 Fixed version Not Fixed CVSS Score 4.2 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H Description Summary A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial. Details The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a SIGKILL after a few seconds of system-wide denial. The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below: https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239 ...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of f *attached, go-containerregistry will invoke this API: https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40 func (rl *remoteLayer) Compressed() (io.ReadCloser, error) { // We don't want to log binary layers -- this can break terminals. ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs") return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest) } Notice that the second argument to rl.fetcher.fetchBlob is verify.SizeUnknown which results in not using the io.LimitReader in verify.ReadCloser: https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100 func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) { w, err := v1.Hasher(h.Algorithm) if err != nil { return nil, err } r2 := io.TeeReader(r, w) // pass all writes to the hasher. if size != SizeUnknown { r2 = io.LimitReader(r2, size) // if we know the size, limit to that size. } return &and.ReadCloser{ Reader: &verifyReader{ inner: r2, hasher: w, expected: h, wantSize: size, }, CloseFunc: r.Close, }, nil } Impact This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer. Remediation Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value. Affected range >=0 Fixed version Not Fixed Description An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.

github.com/slsa-framework/slsa-verifier 1.4.2-0.20221130213533-128324f48837 (golang) pkg:golang/github.com/slsa-framework/[email protected] Affected range >=0 Fixed version Not Fixed Description slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12784485097.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12784485097.