CVE-2022-36056: Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues. Patch: https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 Please bump to 1.12.0.
commit 1d7282c8cb9e2c88da3a612d5f12e89c03b9b4d7 Author: William Hubbs <williamh@gentoo.org> Date: Mon Oct 17 09:32:24 2022 -0500 app-containers/cosign: add 1.13.0 Signed-off-by: William Hubbs <williamh@gentoo.org> Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d6cb09ba0620b498bac7aea3f8830301b51e403 commit 1d6cb09ba0620b498bac7aea3f8830301b51e403 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-10-17 14:38:12 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-10-17 14:39:12 +0000 app-containers/cosign: drop 1.10.0, 1.12.1 Bug: https://bugs.gentoo.org/864436 Bug: https://bugs.gentoo.org/870160 Signed-off-by: William Hubbs <williamh@gentoo.org> app-containers/cosign/Manifest | 4 --- app-containers/cosign/cosign-1.10.0.ebuild | 33 ------------------ app-containers/cosign/cosign-1.12.1.ebuild | 29 ---------------- .../cosign/files/cosign-1.10.0-fix-makefile.patch | 40 ---------------------- 4 files changed, 106 deletions(-)
Thanks!