Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2024-3727 #2403

Merged
merged 4 commits into from
May 9, 2024
Merged

Fix CVE-2024-3727 #2403

merged 4 commits into from
May 9, 2024

Commits on May 9, 2024

  1. Validate digests before using them 

    If doing it makes sense at all, it should happen before
the values are used.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed May 9, 2024
    Configuration menu
    Copy the full SHA
    fdb044b View commit details
    Browse the repository at this point in the history

  2. Call .Validate() before digest.Hex() / digest.Encoded() 

    ... to prevent panics if the value does not contain a :, or other unexpected
values (e.g. a path traversal).

Don't bother on paths where we computed the digest ourselves, or it is already trusted
for other reasons.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed May 9, 2024
    Configuration menu
    Copy the full SHA
    04deef6 View commit details
    Browse the repository at this point in the history

  3. Call .Validate() before digest.Digest.String() if necessary 

    ... to prevent unexpected behavior on invalid values.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed May 9, 2024
    Configuration menu
    Copy the full SHA
    f2743a4 View commit details
    Browse the repository at this point in the history

  4. Validate the tags returned by a registry 

    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
    @mtrmac
    mtrmac committed May 9, 2024
    Configuration menu
    Copy the full SHA
    05a5b77 View commit details
    Browse the repository at this point in the history