data/osv/GO-2021-0412.json - vulndb - Git at Google

 {
   "id": "GO-2021-0412",
   "published": "2022-04-28T23:35:11Z",
   "modified": "0001-01-01T00:00:00Z",
   "aliases": [
     "CVE-2022-24778",
     "GHSA-8v99-48m9-c8pm"
   ],
   "details": "The imgcrypt library provides API exensions for containerd to\nsupport encrypted container images and implements the ctd-decoder\ncommand line tool for use by containerd to decrypt encrypted\ncontainer images. The imgcrypt function `CheckAuthorization`\nis supposed to check whether the current used is authorized to\naccess an encrypted image and prevent the user from running an\nimage that another user previously decrypted on the same system.\nIn versions prior to 1.1.4, a failure occurs when an image with\na ManifestList is used and the architecture of the local host\nis not the first one in the ManifestList. Only the first\narchitecture in the list was tested, which may not have its\nlayers available locally since it could not be run on the host\narchitecture. Therefore, the verdict on unavailable layers was\nthat the image could be run anticipating that image run failure\nwould occur later due to the layers not being available. However,\nthis verdict to allow the image to run enabled other architectures\nin the ManifestList to run an image without providing keys if\nthat image had previously been decrypted. A patch has been\napplied to imgcrypt 1.1.4. Workarounds may include usage of\ndifferent namespaces for each remote user.\n",
   "affected": [
     {
       "package": {
         "name": "github.com/containerd/imgcrypt",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             },
             {
               "fixed": "1.1.4"
             }
           ]
         }
       ],
       "database_specific": {
         "url": "https://pkg.go.dev/vuln/GO-2021-0412"
       },
       "ecosystem_specific": {
         "imports": [
           {
             "path": "github.com/containerd/imgcrypt/images/encryption",
             "symbols": [
               "cryptManifestList"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"
     },
     {
       "type": "WEB",
       "url": "https://github.com/containerd/imgcrypt/issues/69"
     },
     {
       "type": "WEB",
       "url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"
     },
     {
       "type": "WEB",
       "url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"
     }
   ]
 }
	{
	"id": "GO-2021-0412",
	"published": "2022-04-28T23:35:11Z",
	"modified": "0001-01-01T00:00:00Z",
	"aliases": [
	"CVE-2022-24778",
	"GHSA-8v99-48m9-c8pm"
	],
	"details": "The imgcrypt library provides API exensions for containerd to\nsupport encrypted container images and implements the ctd-decoder\ncommand line tool for use by containerd to decrypt encrypted\ncontainer images. The imgcrypt function `CheckAuthorization`\nis supposed to check whether the current used is authorized to\naccess an encrypted image and prevent the user from running an\nimage that another user previously decrypted on the same system.\nIn versions prior to 1.1.4, a failure occurs when an image with\na ManifestList is used and the architecture of the local host\nis not the first one in the ManifestList. Only the first\narchitecture in the list was tested, which may not have its\nlayers available locally since it could not be run on the host\narchitecture. Therefore, the verdict on unavailable layers was\nthat the image could be run anticipating that image run failure\nwould occur later due to the layers not being available. However,\nthis verdict to allow the image to run enabled other architectures\nin the ManifestList to run an image without providing keys if\nthat image had previously been decrypted. A patch has been\napplied to imgcrypt 1.1.4. Workarounds may include usage of\ndifferent namespaces for each remote user.\n",
	"affected": [
	{
	"package": {
	"name": "github.com/containerd/imgcrypt",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	},
	{
	"fixed": "1.1.4"
	}
	]
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2021-0412"
	},
	"ecosystem_specific": {
	"imports": [
	{
	"path": "github.com/containerd/imgcrypt/images/encryption",
	"symbols": [
	"cryptManifestList"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9"
	},
	{
	"type": "WEB",
	"url": "https://github.com/containerd/imgcrypt/issues/69"
	},
	{
	"type": "WEB",
	"url": "https://github.com/containerd/imgcrypt/releases/tag/v1.1.4"
	},
	{
	"type": "WEB",
	"url": "https://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm"
	}
	]
	}