Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864436 (CVE-2022-35929) - <app-containers/cosign-1.13.0: false positive verification
Summary: <app-containers/cosign-1.13.0: false positive verification
Status: RESOLVED FIXED
Alias: CVE-2022-35929
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/sigstore/cosign/se...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-08 16:33 UTC by John Helmert III
Modified: 2022-10-17 14:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 16:33:33 UTC 
CVE-2022-35929 (https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94):

cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be reproduced with the `distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` image. This image has a `vuln` attestation but not an `spdx` attestation. However, if you run `cosign verify-attestation --type=spdx` on this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue.

Please bump to 1.10.1.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 14:35:03 UTC 
commit 1d7282c8cb9e2c88da3a612d5f12e89c03b9b4d7
Author: William Hubbs <williamh@gentoo.org>
Date:   Mon Oct 17 09:32:24 2022 -0500

    app-containers/cosign: add 1.13.0

    Signed-off-by: William Hubbs <williamh@gentoo.org>

Please cleanup.
Comment 2 William Hubbs gentoo-dev 2022-10-17 14:35:21 UTC 
The earliest version in the tree is 1.12.1.
Comment 3 Larry the Git Cow gentoo-dev 2022-10-17 14:39:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d6cb09ba0620b498bac7aea3f8830301b51e403

commit 1d6cb09ba0620b498bac7aea3f8830301b51e403
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-10-17 14:38:12 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-10-17 14:39:12 +0000

    app-containers/cosign: drop 1.10.0, 1.12.1
    
    Bug: https://bugs.gentoo.org/864436
    Bug: https://bugs.gentoo.org/870160
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-containers/cosign/Manifest                     |  4 ---
 app-containers/cosign/cosign-1.10.0.ebuild         | 33 ------------------
 app-containers/cosign/cosign-1.12.1.ebuild         | 29 ----------------
 .../cosign/files/cosign-1.10.0-fix-makefile.patch  | 40 ----------------------
 4 files changed, 106 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-17 14:42:02 UTC 
Thanks!