Nixpkgs security tracker
5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): LOW
Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.
References
-
https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833 x_refsource_CONFIRM
-
https://github.com/sigstore/rekor/releases/tag/v1.5.0 x_refsource_MISC
Affected products
- ==< 1.5.0
Matching in nixpkgs
pkgs.rekor-cli
CLI client for Sigstore, the Signature Transparency Log
pkgs.rekor-server
Sigstore server, the Signature Transparency Log
pkgs.python312Packages.sigstore-rekor-types
Python models for Rekor's API types
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>
-
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
-
@LeSuisse Thomas Gerbet <thomas@gerbet.me>