Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/notaryproject/notation-go: CVE-2023-25656 #1589

Closed
GoVulnBot opened this issue Feb 20, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/notaryproject/notation-go: CVE-2023-25656 #1589

GoVulnBot opened this issue Feb 20, 2023 · 2 comments
Assignees
@neild

Comments

@GoVulnBot
Copy link

CVE-2023-25656 references github.com/notaryproject/notation-go, which may be a Go module.

Description:
notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/notaryproject/notation-go
    packages:
      - package: notation-go
description: |
    notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
cves:
  - CVE-2023-25656
references:
  - advisory: https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v
  - web: https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3
@neild neild self-assigned this Feb 27, 2023
@tatianab
Copy link
Contributor

tatianab commented Mar 6, 2023

Fix: notaryproject/notation-go#275

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/504861 mentions this issue: data/reports: add GO-2023-1589.yaml

@inteon inteon mentioned this issue Feb 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @tatianab @gopherbot @GoVulnBot