Google Git
Sign in
go / vulndb / 4bd1791dbc27cc43efeea6cb6f246b4ef49805a1^! / .
commit4bd1791dbc27cc43efeea6cb6f246b4ef49805a1[log] [tgz]
authorDamien Neil <dneil@google.com>Thu Apr 07 12:34:16 2022 -0700
committerDamien Neil <dneil@google.com>Thu Apr 28 23:35:11 2022 +0000
treed1ae355c169e7bf812f481019ef846e9c00ec134
parent682b0229717d6ebb7f84e815b6bbe32b61f29eb8 [diff]
reports: add GO-2021-0412.yaml for CVE-2022-24778

Fixes golang/vulndb#412

Change-Id: I53d674c30a1c4b9d7f1c8fe231d6accf9b43dba4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/398954
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>

diff --git a/reports/GO-2021-0412.yaml b/reports/GO-2021-0412.yaml
new file mode 100644
index 0000000..d769b4d
--- /dev/null
+++ b/reports/GO-2021-0412.yaml

@@ -0,0 +1,36 @@
+module: github.com/containerd/imgcrypt
+package: github.com/containerd/imgcrypt/images/encryption
+versions:
+  - fixed: v1.1.4
+description: |
+    The imgcrypt library provides API exensions for containerd to
+    support encrypted container images and implements the ctd-decoder
+    command line tool for use by containerd to decrypt encrypted
+    container images. The imgcrypt function `CheckAuthorization`
+    is supposed to check whether the current used is authorized to
+    access an encrypted image and prevent the user from running an
+    image that another user previously decrypted on the same system.
+    In versions prior to 1.1.4, a failure occurs when an image with
+    a ManifestList is used and the architecture of the local host
+    is not the first one in the ManifestList. Only the first
+    architecture in the list was tested, which may not have its
+    layers available locally since it could not be run on the host
+    architecture. Therefore, the verdict on unavailable layers was
+    that the image could be run anticipating that image run failure
+    would occur later due to the layers not being available. However,
+    this verdict to allow the image to run enabled other architectures
+    in the ManifestList to run an image without providing keys if
+    that image had previously been decrypted. A patch has been
+    applied to imgcrypt 1.1.4. Workarounds may include usage of
+    different namespaces for each remote user.
+cves:
+  - CVE-2022-24778
+credit: '@dimitar-dimitrow'
+symbols:
+  - cryptManifestList
+links:
+    commit: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
+    context:
+      - https://github.com/containerd/imgcrypt/issues/69
+      - https://github.com/containerd/imgcrypt/releases/tag/v1.1.4
+      - https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm