reports: add GO-2021-0412.yaml for CVE-2022-24778
Fixes golang/vulndb#412
Change-Id: I53d674c30a1c4b9d7f1c8fe231d6accf9b43dba4
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/398954
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
diff --git a/reports/GO-2021-0412.yaml b/reports/GO-2021-0412.yaml
new file mode 100644
index 0000000..d769b4d
--- /dev/null
+++ b/reports/GO-2021-0412.yaml
@@ -0,0 +1,36 @@
+module: github.com/containerd/imgcrypt
+package: github.com/containerd/imgcrypt/images/encryption
+versions:
+ - fixed: v1.1.4
+description: |
+ The imgcrypt library provides API exensions for containerd to
+ support encrypted container images and implements the ctd-decoder
+ command line tool for use by containerd to decrypt encrypted
+ container images. The imgcrypt function `CheckAuthorization`
+ is supposed to check whether the current used is authorized to
+ access an encrypted image and prevent the user from running an
+ image that another user previously decrypted on the same system.
+ In versions prior to 1.1.4, a failure occurs when an image with
+ a ManifestList is used and the architecture of the local host
+ is not the first one in the ManifestList. Only the first
+ architecture in the list was tested, which may not have its
+ layers available locally since it could not be run on the host
+ architecture. Therefore, the verdict on unavailable layers was
+ that the image could be run anticipating that image run failure
+ would occur later due to the layers not being available. However,
+ this verdict to allow the image to run enabled other architectures
+ in the ManifestList to run an image without providing keys if
+ that image had previously been decrypted. A patch has been
+ applied to imgcrypt 1.1.4. Workarounds may include usage of
+ different namespaces for each remote user.
+cves:
+ - CVE-2022-24778
+credit: '@dimitar-dimitrow'
+symbols:
+ - cryptManifestList
+links:
+ commit: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9
+ context:
+ - https://github.com/containerd/imgcrypt/issues/69
+ - https://github.com/containerd/imgcrypt/releases/tag/v1.1.4
+ - https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm