| modules: |
| - module: github.com/containerd/imgcrypt |
| versions: |
| - fixed: 1.1.4 |
| packages: |
| - package: github.com/containerd/imgcrypt/images/encryption |
| symbols: |
| - cryptManifestList |
| description: | |
| The imgcrypt library provides API exensions for containerd to |
| support encrypted container images and implements the ctd-decoder |
| command line tool for use by containerd to decrypt encrypted |
| container images. The imgcrypt function `CheckAuthorization` |
| is supposed to check whether the current used is authorized to |
| access an encrypted image and prevent the user from running an |
| image that another user previously decrypted on the same system. |
| In versions prior to 1.1.4, a failure occurs when an image with |
| a ManifestList is used and the architecture of the local host |
| is not the first one in the ManifestList. Only the first |
| architecture in the list was tested, which may not have its |
| layers available locally since it could not be run on the host |
| architecture. Therefore, the verdict on unavailable layers was |
| that the image could be run anticipating that image run failure |
| would occur later due to the layers not being available. However, |
| this verdict to allow the image to run enabled other architectures |
| in the ManifestList to run an image without providing keys if |
| that image had previously been decrypted. A patch has been |
| applied to imgcrypt 1.1.4. Workarounds may include usage of |
| different namespaces for each remote user. |
| published: 2022-04-28T23:35:11Z |
| cves: |
| - CVE-2022-24778 |
| ghsas: |
| - GHSA-8v99-48m9-c8pm |
| credit: '@dimitar-dimitrow' |
| references: |
| - fix: https://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9 |
| - web: https://github.com/containerd/imgcrypt/issues/69 |
| - web: https://github.com/containerd/imgcrypt/releases/tag/v1.1.4 |