Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 827893 - <sys-cluster/singularity-3.8.5: ambiguous parsing of OCI images
Summary: <sys-cluster/singularity-3.8.5: ambiguous parsing of OCI images
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 827892
Blocks: 872437
  Show dependency tree
 
Reported: 2021-11-30 11:01 UTC by Marek Szuba
Modified: 2022-09-23 02:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marek Szuba archtester gentoo-dev 2021-11-30 11:01:06 UTC 
In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently.
Comment 1 Marek Szuba archtester gentoo-dev 2021-11-30 11:38:56 UTC 
No vulnerable versions left in the tree.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 23:17:55 UTC 
Thank you!
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-23 02:53:58 UTC 
Seems very low impact and very hard to exploit anyway, no GLSA.