fix(deps): update module github.com/sigstore/rekor to v1.1.1 [securit…

…y] (#2100)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/sigstore/rekor](https://togithub.com/sigstore/rekor) |
require | patch | `v1.1.0` -> `v1.1.1` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2023-30551](https://togithub.com/sigstore/rekor/security/advisories/GHSA-2h5h-59f5-c5x9)

## Summary
Two vulnerabilities have been found in Rekor types for archive files
JARs and APKs, where Rekor would crash due to out of memory conditions
caused by reading archive metadata files into memory without checking
their sizes first causing a Denial of Service of Rekor.

These vulnerabilities were found through fuzzing with
[OSS-Fuzz](https://google.github.io/oss-fuzz/).

## Vulnerability 1: OOM due to large files in META-INF directory of JAR
files.

### Summary
Verification of a JAR file submitted to Rekor can cause an out of memory
crash if files within the META-INF directory of the JAR are sufficiently
large.

### Details
As part of verifying a JAR file, Rekor uses the [relic
library](http://github.com/sassoftware/relic) to check that the JAR is
signed, the signature verifies, and that the hashes in the signed
manifest are all valid. This library function reads files within
META-INF/ into memory without checking their sizes, resulting in an OOM
if the uncompressed file is sufficiently large. Rekor is also not
performing any such checks prior to passing the JAR to this library
function.

### Patches
Users should update to the latest version of Rekor, 1.1.1.

### Workaround
There are no workarounds, users should update.

## Vulnerability 2: OOM due to large .SIGN and .PKGINFO files in APK
files.

### Summary
Parsing of an APK file submitted to Rekor can cause an out of memory
crash if the .SIGN or .PKGINFO files within the APK are sufficiently
large.

### Details
When parsing an APK file, Rekor allocates byte slices to read both the
.SIGN and .PKGINFO files into memory in order to verify the signature
and hashes in the APK. These byte slices are allocated based on the size
included in the tar header for each file, with no checks performed on
that size. If the size in the header is sufficiently large, either
because the uncompressed file is large or the size in the header has
been artificially set to a large value, Rekor will crash due to an out
of memory panic.

### Patches
Users should update to the latest version of Rekor, 1.1.1.

### Workaround
There are no workarounds, users should update.

---

### Release Notes

<details>
<summary>sigstore/rekor</summary>

###
[`v1.1.1`](https://togithub.com/sigstore/rekor/blob/HEAD/CHANGELOG.md#v111)

[Compare
Source](https://togithub.com/sigstore/rekor/compare/v1.1.0...v1.1.1)

#### Functional Enhancements

- Refactor Trillian client with exported methods
([#&#8203;1454](https://togithub.com/sigstore/rekor/issues/1454))
- Switch to official redis-go client
([#&#8203;1459](https://togithub.com/sigstore/rekor/issues/1459))
- Remove replace in go.mod
([#&#8203;1444](https://togithub.com/sigstore/rekor/issues/1444))
- Add Rekor OID info.
([#&#8203;1390](https://togithub.com/sigstore/rekor/issues/1390))

#### Quality Enhancements

- remove legacy encrypted cosign key
([#&#8203;1446](https://togithub.com/sigstore/rekor/issues/1446))
- swap cjson dependency
([#&#8203;1441](https://togithub.com/sigstore/rekor/issues/1441))
- Update release readme
([#&#8203;1456](https://togithub.com/sigstore/rekor/issues/1456))

#### Bug Fixes

-   Merge pull request from GHSA-2h5h-59f5-c5x9

#### Contributors

-   Billy Lynch
-   Bob Callaway
-   Carlos Tadeu Panato Junior
-   Ceridwen Coghlan
-   Hayden B

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS40OC4yIiwidXBkYXRlZEluVmVyIjoiMzUuNDguMiJ9-->

Signed-off-by: Renovate Bot <[email protected]>

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/pelletier/go-toml v1.9.5
 	github.com/secure-systems-lab/go-securesystemslib v0.5.0
 	github.com/sigstore/cosign/v2 v2.0.2
-	github.com/sigstore/rekor v1.1.0
+	github.com/sigstore/rekor v1.1.1
 	github.com/sigstore/sigstore v1.6.3
 	github.com/spf13/cobra v1.7.0
 	golang.org/x/oauth2 v0.7.0
@@ -71,8 +71,7 @@ require (
 	github.com/cloudflare/circl v1.1.0 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
-	github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect
 	github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect
@@ -93,12 +92,12 @@ require (
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
 	github.com/go-openapi/runtime v0.26.0 // indirect
-	github.com/go-openapi/spec v0.20.8 // indirect
+	github.com/go-openapi/spec v0.20.9 // indirect
 	github.com/go-openapi/validate v0.22.1 // indirect
 	github.com/go-piv/piv-go v1.11.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-playground/validator/v10 v10.12.0 // indirect
+	github.com/go-playground/validator/v10 v10.13.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -124,7 +123,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.16.0 // indirect
-	github.com/leodido/go-urn v1.2.2 // indirect
+	github.com/leodido/go-urn v1.2.3 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -142,7 +141,6 @@ require (
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
@@ -158,7 +156,6 @@ require (
 	github.com/spiffe/go-spiffe/v2 v2.1.4 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
-	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect