fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/sigstore/cosign/v2	v2.2.0 -> v2.2.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-46737

Summary

Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations.

The attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations.

The vulnerable loop in Cosign starts on line 154 below:
https://github.com/sigstore/cosign/blob/004443228442850fb28f248fd59765afad99b6df/pkg/cosign/fetch.go#L135-L196

The l slice is controllable by an attacker who controls the remote registry.

Many cloud-native projects consider the remote registry to be untrusted, including Crossplane, Notary and Kyverno. We consider the same to be the case for Cosign, since users are not in control of whether the registry returns the expected data.

TUF's security model labels this type of vulnerability an "Endless data attack", but an attacker could use this as a type of rollback attack, in case the user attempts to deploy a patched version of a vulnerable image; The attacker could prevent this upgrade by causing Cosign to get stuck in an infinite loop and never complete.

Mitigation

The issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack.

CVE-2024-29902

Summary

A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.

Details

The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a SIGKILL after a few seconds of system-wide denial.

The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below:

https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239

...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of f *attached, go-containerregistry will invoke this API:

https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40

func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}

Notice that the second argument to rl.fetcher.fetchBlob is verify.SizeUnknown which results in not using the io.LimitReader in verify.ReadCloser:
https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100

func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}

Impact

This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer.

Remediation

Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value.

CVE-2024-29903

Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates.

As an example, these lines demonstrate the problem:

https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70

This Get() method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice.

The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests.

Remediation

Update to the latest version of Cosign, where the number of attestations, signatures and manifests has been limited to a reasonable value.

Cosign PoC

In the case of this API (also referenced above):

https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70

… The first line can contain a length that is safe for the system and will not throw a runtime panic or be blocked by other safety mechanisms. For the sake of argument, let’s say that the length of m, err := s.Manifest() is the max allowed (by the machine without throwing OOM panics) manifests minus 1. When Cosign then allocates a new slice on this line: signatures := make([]oci.Signature, 0, len(m.Layers)), Cosign will allocate more memory than is available and the machine will be denied of service, causing Cosign and all other services on the machine to be unavailable.

To illustrate the issue here, we run a modified version of TestSignedImageIndex() in pkg/oci/remote:

https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57

Here, wantLayers is the number of manifests from these lines:

https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60

To test this, we want to make wantLayers high enough to not cause a memory on its own but still trigger the machine-wide OOM when a slice gets create with the same length. On my local machine, it would take hours to create a slice of layers that fulfils that criteria, so instead I modify the Cosign production code to reflect a long list of manifests:

// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
        m, err := s.Manifest()
        if err != nil {
                return nil, err
        }
        // Here we imitate a long list of manifests
        ms := make([]byte, 2600000000) // imitate a long list of manifests
        signatures := make([]oci.Signature, 0, len(ms))
        panic("Done")
        //signatures := make([]oci.Signature, 0, len(m.Layers))
        for _, desc := range m.Layers {

With this modified code, if we can cause an OOM without triggering the panic("Done"), we have succeeded.

---

Release Notes

sigstore/cosign (github.com/sigstore/cosign/v2)

v2.2.4

Compare Source

Bug Fixes

• Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv (#​3661)
• ErrNoSignaturesFound should be used when there is no signature attached to an image. (#​3526)
• fix semgrep issues for dgryski.semgrep-go ruleset (#​3541)
• Honor creation timestamp for signatures again (#​3549)

Features

• Adds Support for Fulcio Client Credentials Flow, and Argument to Set Flow Explicitly (#​3578)

Documentation

• add oci bundle spec (#​3622)
• Correct help text of triangulate cmd (#​3551)
• Correct help text of verify-attestation policy argument (#​3527)
• feat: add OVHcloud MPR registry tested with cosign (#​3639)

Testing

• Refactor e2e-tests.yml workflow (#​3627)
• Clean up and clarify e2e scripts (#​3628)
• Don't ignore transparency log in tests if possible (#​3528)
• Make E2E tests hermetic (#​3499)
• add e2e test for pkcs11 token signing (#​3495)

v2.2.3

Compare Source

Bug Fixes

• Fix race condition on verification with multiple signatures attached to image (#​3486)
• fix(clean): Fix clean cmd for private registries (#​3446)
• Fixed BYO PKI verification (#​3427)

Features

• Allow for option in cosign attest and attest-blob to upload attestation as supported in Rekor (#​3466)
• Add support for OpenVEX predicate type (#​3405)

Documentation

• Resolves #​3088: version sub-command expected behaviour documentation and testing (#​3447)
• add examples for cosign attach signature cmd (#​3468)

Misc

• Remove CertSubject function (#​3467)
• Use local rekor and fulcio instances in e2e tests (#​3478)

Contributors

• aalsabag
• Bob Callaway
• Carlos Tadeu Panato Junior
• Colleen Murphy
• Hayden B
• Mukuls77
• Omri Bornstein
• Puerco
• vivek kumar sahu

v2.2.2

Compare Source

v2.2.2 adds a new container with a shell, gcr.io/projectsigstore/cosign:vx.y.z-dev, in addition to the existing
container gcr.io/projectsigstore/cosign:vx.y.z without a shell.

For private deployments, we have also added an alias for --insecure-skip-log, --private-infrastructure.

Bug Fixes

• chore(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#​3411) which fixes a bug with using Azure KMS
• Don't require CT log keys if using a key/sk (#​3415)
• Fix copy without any flag set (#​3409)
• Update cosign generate cmd to not include newline (#​3393)
• Fix idempotency error with signing (#​3371)

Features

• Add --yes flag cosign import-key-pair to skip the overwrite confirmation. (#​3383)
• Use the timeout flag value in verify* commands. (#​3391)
• add --private-infrastructure flag (#​3369)

Container Updates

• Bump builder image to use go1.21.4 and add new cosign image tags with shell (#​3373)

Documentation

• Update SBOM_SPEC.md (#​3358)

Contributors

• Carlos Tadeu Panato Junior
• Dylan Richardson
• Hayden B
• Lily Sturmann
• Nikos Fotiou
• Yonghe Zhao

v2.2.1

Compare Source

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

Enhancements

• feat: Support basic auth and bearer auth login to registry (#​3310)
• add support for ignoring certificates with pkcs11 (#​3334)
• Support ReplaceOp in Signatures (#​3315)
• feat: added ability to get image digest back via triangulate (#​3255)
• feat: add --only flag in cosign copy to copy sign, att & sbom (#​3247)
• feat: add support attaching a Rekor bundle to a container (#​3246)
• feat: add support outputting rekor response on signing (#​3248)
• feat: improve dockerfile verify subcommand (#​3264)
• Add guard flag for experimental OCI 1.1 verify. (#​3272)
• Deprecate SBOM attachments (#​3256)
• feat: dedent line in cosign copy doc (#​3244)
• feat: add platform flag to cosign copy command (#​3234)
• Add SLSA 1.0 attestation support to cosign. Closes #​2860 (#​3219)
• attest: pass OCI remote opts to att resolver. (#​3225)

Bug Fixes

• Merge pull request from GHSA-vfp6-jrw2-99g9
• fix: allow cosign download sbom when image is absent (#​3245)
• ci: add a OCI registry test for referrers support (#​3253)
• Fix ReplaceSignatures (#​3292)
• Stop using deprecated in_toto.ProvenanceStatement (#​3243)
• Fixes #​3236, disable SCT checking for a cosign verification when usin… (#​3237)
• fix: update error in SignedEntity to be more descriptive (#​3233)
• Fail timestamp verification if no root is provided (#​3224)

Documentation

• Add some docs about verifying in an air-gapped environment (#​3321)
• Update CONTRIBUTING.md (#​3268)
• docs: improves the Contribution guidelines (#​3257)
• Remove security policy (#​3230)

Others

• Set go to min 1.21 and update dependencies (#​3327)
• Update contact for code of conduct (#​3266)
• Update .ko.yaml (#​3240)

Contributors

• AdamKorcz
• Andres Galante
• Appu
• Billy Lynch
• Bob Callaway
• Caleb Woodbine
• Carlos Tadeu Panato Junior
• Dylan Richardson
• Gareth Healy
• Hayden B
• John Kjell
• Jon Johnson
• jonvnadelberg
• Luiz Carvalho
• Priya Wadhwa
• Ramkumar Chinchani
• Tosone
• Ville Aikas
• Vishal Choudhary
• ziel

---

Configuration

📅 Schedule: Branch creation - "before 4am" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[laurentsimon]

Latest version from Jan is 2.2.3, not v2.2.1. I ticked the box to update the PR.