Sourced from github.com/containers/image/v5's releases.
v5.30.1
This fixes CVE-2024-3727 .
Digest values used throughout this library were not always validated. That allowed attackers to trigger, when pulling untrusted images, unexpected authenticated registry accesses on behalf of a victim user.
In less common uses of this library (using other transports or not using the
containers/image/v5/copy.Image
API), an attacker could also trigger local path traversals or crashes.
56e750a
Release 5.30.1132678b
Merge pull request #2404
from mtrmac/digest-unmarshal-5.30b724ee7
Validate the tags returned by a registrya9225e4
Call .Validate() before digest.Digest.String() if necessary4a3785d
Refactor the error handling furthera802d65
Refactor the error handling path of saveStream39e7c91
Call .Validate() before digest.Hex() / digest.Encoded()2bcb834
Validate digests before using them