blob: 237c79143820078b5f83b62e615e0f664c04cf0b [file] [log] [blame]
id: GO-ID-PENDING
modules:
- module: github.com/apptainer/sif
versions:
- introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd
fixed: 1.2.1-0.20180404165556-75cca531ea76
- module: github.com/satori/go.uuid
versions:
- introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd
fixed: 1.2.1-0.20180404165556-75cca531ea76
vulnerable_at: 1.2.0
summary: github.com/satori/go.uuid has Predictable SIF UUID Identifiers
description: |-
### Impact
The siftool new command produces predictable UUID identifiers due to insecure
randomness in the version of the `github.com/satori/go.uuid` module used as a
dependency.
### Patches
A patch is available in version >= v1.2.1-0.20180404165556-75cca531ea76 of the
module. Users are encouraged to upgrade.
Fixed by https://github.com/hpcng/sif/pull/90
### Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a
version of github.com/satori/go.uuid that is not vulnerable to this issue.
Unfortunately, the latest tagged release is vulnerable to this issue. One way to
obtain a non-vulnerable version is:
`go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76`
### References
https://github.com/satori/go.uuid/issues/73
### For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/hpcng/sif/issues
cves:
- CVE-2021-3538
ghsas:
- GHSA-33m6-q9v5-62r7
references:
- advisory: https://github.com/hpcng/sif/security/advisories/GHSA-33m6-q9v5-62r7
- report: https://github.com/satori/go.uuid/issues/73
- fix: https://github.com/satori/go.uuid/pull/75
- fix: https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557
- web: https://bugzilla.redhat.com/show_bug.cgi?id=1954376
- web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
notes:
- lint: 'description: possible markdown formatting (found ### )'
- lint: 'description: possible markdown formatting (found `github.com/satori/go.uuid`)'
- lint: 'modules[0] "github.com/apptainer/sif": 2 versions do not exist: 1.2.1-0.20180103161547-0ef6afb2f6cd, 1.2.1-0.20180404165556-75cca531ea76'
- lint: 'modules[1] "github.com/satori/go.uuid": vulnerable_at: 1.2.0 is not inside vulnerable range'
- lint: 'summary: must begin with a capital letter'
source:
id: GHSA-33m6-q9v5-62r7