CVE-2022-35929 (https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94): cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be reproduced with the `distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` image. This image has a `vuln` attestation but not an `spdx` attestation. However, if you run `cosign verify-attestation --type=spdx` on this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue. Please bump to 1.10.1.
commit 1d7282c8cb9e2c88da3a612d5f12e89c03b9b4d7 Author: William Hubbs <williamh@gentoo.org> Date: Mon Oct 17 09:32:24 2022 -0500 app-containers/cosign: add 1.13.0 Signed-off-by: William Hubbs <williamh@gentoo.org> Please cleanup.
The earliest version in the tree is 1.12.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d6cb09ba0620b498bac7aea3f8830301b51e403 commit 1d6cb09ba0620b498bac7aea3f8830301b51e403 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-10-17 14:38:12 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-10-17 14:39:12 +0000 app-containers/cosign: drop 1.10.0, 1.12.1 Bug: https://bugs.gentoo.org/864436 Bug: https://bugs.gentoo.org/870160 Signed-off-by: William Hubbs <williamh@gentoo.org> app-containers/cosign/Manifest | 4 --- app-containers/cosign/cosign-1.10.0.ebuild | 33 ------------------ app-containers/cosign/cosign-1.12.1.ebuild | 29 ---------------- .../cosign/files/cosign-1.10.0-fix-makefile.patch | 40 ---------------------- 4 files changed, 106 deletions(-)
Thanks!