fix(deps): update module github.com/sigstore/rekor to v1.1.1 [security] - autoclosed

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/sigstore/rekor	require	minor	v1.0.1 -> v1.1.1

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-30551

Summary

Two vulnerabilities have been found in Rekor types for archive files JARs and APKs, where Rekor would crash due to out of memory conditions caused by reading archive metadata files into memory without checking their sizes first causing a Denial of Service of Rekor.

These vulnerabilities were found through fuzzing with OSS-Fuzz.

Vulnerability 1: OOM due to large files in META-INF directory of JAR files.

Summary

Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large.

Details

As part of verifying a JAR file, Rekor uses the relic library to check that the JAR is signed, the signature verifies, and that the hashes in the signed manifest are all valid. This library function reads files within META-INF/ into memory without checking their sizes, resulting in an OOM if the uncompressed file is sufficiently large. Rekor is also not performing any such checks prior to passing the JAR to this library function.

Patches

Users should update to the latest version of Rekor, 1.1.1.

Workaround

There are no workarounds, users should update.

Vulnerability 2: OOM due to large .SIGN and .PKGINFO files in APK files.

Summary

Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large.

Details

When parsing an APK file, Rekor allocates byte slices to read both the .SIGN and .PKGINFO files into memory in order to verify the signature and hashes in the APK. These byte slices are allocated based on the size included in the tar header for each file, with no checks performed on that size. If the size in the header is sufficiently large, either because the uncompressed file is large or the size in the header has been artificially set to a large value, Rekor will crash due to an out of memory panic.

Patches

Users should update to the latest version of Rekor, 1.1.1.

Workaround

There are no workarounds, users should update.

---

Release Notes

sigstore/rekor

v1.1.1

Compare Source

Functional Enhancements

• Refactor Trillian client with exported methods (#​1454)
• Switch to official redis-go client (#​1459)
• Remove replace in go.mod (#​1444)
• Add Rekor OID info. (#​1390)

Quality Enhancements

• remove legacy encrypted cosign key (#​1446)
• swap cjson dependency (#​1441)
• Update release readme (#​1456)

Bug Fixes

• Merge pull request from GHSA-2h5h-59f5-c5x9

Contributors

• Billy Lynch
• Bob Callaway
• Carlos Tadeu Panato Junior
• Ceridwen Coghlan
• Hayden B

v1.1.0

Compare Source

Functional Enhancements

• improve validation on intoto v0.0.2 type (#​1351)
• add feature to limit HTTP request body length to process (#​1334)
• add information about the file size limit (#​1313)
• Add script to backfill Redis from Rekor (#​1163)
• Feature: add search support for sha512 (#​1142)

Quality Enhancements

• fuzzing: refactor OSS-Fuzz build script (#​1377)
• Update cloudbuild for cosign 2.0 (#​1375)
• Tests - Additional sharding tests (#​1180)
• jar type: add fuzzer for 3rd-party dep (#​1360)
• update cosign to 2.0.0 and builder image and also cosign flags (#​1368)
• fuzzing: move alpine utils to fuzz utils (#​1335)
• fuzzing: add seed for alpine fuzzer (#​1342)
• jar: add v001 fuzzer (#​1327)
• fuzzing: open writer later in fuzz utils (#​1326)
• fuzzing: remove tar operations in alpine fuzzer (#​1322)
• alpine: add v001 fuzzer (#​1316)
• hashedrekord: add v001 fuzzer (#​1315)
• fuzzing: add call to IndexKeys in multiple fuzzers (#​1302)
• fuzzing: improve cose fuzzer (#​1300)
• fuzzing: improve fuzz utils (#​1298)
• fuzzing: improve alpine fuzzer (#​1273)
• fuzzing: go mod edit go-fuzz-headers (#​1272)
• fuzzing: add .options file (#​1271)
• fuzzing: build helm fuzzer from correct dir (#​1264)
• types: refactor multiple fuzzers (#​1258)
• helm: add fuzzer for provenance unmarshalling (#​1243)
• pki: add fuzzer (#​1256)
• Fuzzing: Add more bug detectors (#​1253)
• Refactor e2e - part 5 (#​1236)
• Removed unused tool/deps (#​1244)
• Fixed the invalid path (#​1245)
• Run latest fuzzers in OSS-Fuzz (#​1221)
• Fuzz tests - hashedrekord (#​1224)
• Update builder (#​1228)
• Revamping rekor e2e - part 4 of N (#​1218)
• types: add fuzzers (#​1225)
• jar type: add fuzzer (#​1215)
• Revamping rekor e2e - part 3 of N (#​1177)
• modify OSS-Fuzz build script (#​1214)
• move over oss-fuzz build script (#​1204)
• wrap redis client errors to aid debugging (#​1176)
• don't test release candidate builds in harness (#​1183)
• types/alpine: add fuzzer (#​1200)
• logging tweaks to improve usability (#​1235)
• Add backfill-redis to the release artifacts (#​1174)
• ensure jobs run on release branches (#​1181)
• update builder image and cosign (#​1165)
• Refactor e2e tests - x509 apk (#​1152)
• Sharding - Additional tests (#​1156)
• Ran gofmt and cleaned up (#​1157)
• Fuzz - Fuzz tests for sharding (#​1147)
• Revamping rekor e2e - part 1 of N (#​1089)

Bug Fixes

• remove goroutine usage from SearchLogQuery (#​1407)
• drop log messages regarding attestation storage to debug (#​1408)
• fix ko-local build (#​1381)
• disable blocking checks (#​1353)
• fix validation for proposed vs committed log entries for intoto v0.0.1 (#​1309)
• fix: fix regex for multi-digit counts (#​1321)
• return NotFound if treesize is 0 rather than calling trillian (#​1311)
• enumerate slice to get sugared logs (#​1312)
• put a reasonable size limit on ssh key reader (#​1288)
• CLIENT: Fix Custom Host and Path Issue (#​1306)
• do not persist local state if log is empty; fail consistency proofs from 0 size (#​1290)
• correctly handle invalid or missing pki format (#​1281)
• Add Verifier to get public key/cert and identities for entry type (#​1210)
• fix goroutine leak in client; add insecure TLS option (#​1238)
• Fix - Remove the force-recreate flag (#​1179)
• trim whitespace around public keys before parsing (#​1175)
• stop inserting envelope hash for intoto:0.0.2 types into index (#​1171)
• Revert "remove double encoding of payload and signature fields for intoto (#​1150)" (#​1158)
• remove double encoding of payload and signature fields for intoto (#​1150)
• fix SearchLogQuery behavior to conform to openapi spec (#​1145)
• Remove pem-certificate-chain from client (#​1138)
• fix flag type for operator in search (#​1136)
• use sigstore/community dep review (#​1132)

Contributors

• AdamKorcz
• Batuhan Apaydın
• Bob Callaway
• Carlos Tadeu Panato Junior
• Fabian Kammel
• Fredrik Skogman
• Hayden B
• Joyce
• Naveen
• Noah Kreiger
• Priya Wadhwa

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[forking-renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child -v "/tmp/worker/c8b63b/086ace/repos/github/slsa-framework/slsa-verifier":"/tmp/worker/c8b63b/086ace/repos/github/slsa-framework/slsa-verifier" -v "/tmp/worker/c8b63b/086ace/cache":"/tmp/worker/c8b63b/086ace/cache" -e GOPATH -e GOPROXY -e GOSUMDB -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e BUILDPACK_CACHE_DIR -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/c8b63b/086ace/repos/github/slsa-framework/slsa-verifier" ghcr.io/containerbase/sidecar bash -l -c "install-tool golang 1.20.4 && go get -d -t ./... && go mod tidy && go mod tidy"
go: downloading github.com/spf13/cobra v1.7.0
go: downloading sigs.k8s.io/release-utils v0.7.3
go: downloading github.com/google/go-cmp v0.5.9
go: downloading github.com/sigstore/cosign v1.13.1
go: downloading golang.org/x/mod v0.10.0
go: downloading github.com/gorilla/mux v1.8.0
go: downloading github.com/in-toto/in-toto-golang v0.8.0
go: downloading github.com/secure-systems-lab/go-securesystemslib v0.5.0
go: downloading github.com/docker/go v1.5.1-1
go: downloading github.com/go-openapi/runtime v0.26.0
go: downloading github.com/go-openapi/strfmt v0.21.7
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading github.com/sigstore/cosign/v2 v2.0.0-rc.2
go: downloading github.com/sigstore/protobuf-specs v0.1.1-0.20230426054333-13e09aafd3a7
go: downloading github.com/sigstore/rekor v1.1.1
go: downloading github.com/sigstore/sigstore v1.6.3
go: downloading github.com/slsa-framework/slsa-github-generator v1.4.0
go: downloading google.golang.org/protobuf v1.30.0
go: downloading github.com/google/go-containerregistry v0.14.0
go: downloading github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7
go: downloading github.com/theupdateframework/go-tuf v0.5.2
go: downloading github.com/transparency-dev/merkle v0.0.1
go: downloading golang.org/x/sync v0.1.0
go: downloading golang.org/x/term v0.7.0
go: downloading golang.org/x/crypto v0.8.0
go: downloading github.com/go-openapi/errors v0.20.3
go: downloading github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/oklog/ulid v1.3.1
go: downloading go.mongodb.org/mongo-driver v1.11.3
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/sigstore/fulcio v1.0.0
go: downloading github.com/shibumi/go-pathspec v1.3.0
go: downloading golang.org/x/sys v0.7.0
go: downloading go.step.sm/crypto v0.29.3
go: downloading github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31
go: downloading github.com/google/certificate-transparency-go v1.1.4
go: downloading github.com/sigstore/timestamp-authority v0.2.1
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading github.com/hashicorp/go-cleanhttp v0.5.2
go: downloading github.com/hashicorp/go-retryablehttp v0.7.2
go: downloading github.com/ghodss/yaml v1.0.0
go: downloading github.com/google/trillian v1.5.1
go: downloading github.com/go-openapi/validate v0.22.1
go: downloading github.com/blang/semver v3.5.1+incompatible
go: downloading golang.org/x/exp v0.0.0-20230124195608-d38c7dcee874
go: downloading github.com/spf13/viper v1.15.0
go: downloading github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.14.3
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/josharian/intern v1.0.0
go: downloading github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795
go: downloading github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21
go: downloading github.com/mozillazg/docker-credential-acr-helper v0.3.0
go: downloading github.com/coreos/go-oidc/v3 v3.5.0
go: downloading github.com/go-jose/go-jose/v3 v3.0.0
go: downloading github.com/segmentio/ksuid v1.0.4
go: downloading github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
go: downloading golang.org/x/oauth2 v0.7.0
go: downloading github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3
go: downloading github.com/pkg/errors v0.9.1
go: downloading gopkg.in/square/go-jose.v2 v2.6.0
go: downloading k8s.io/klog/v2 v2.80.1
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading go.opentelemetry.io/otel v1.14.0
go: downloading go.opentelemetry.io/otel/trace v1.14.0
go: downloading github.com/go-playground/validator/v10 v10.13.0
go: downloading google.golang.org/grpc v1.54.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/go-chi/chi v4.1.2+incompatible
go: downloading go.uber.org/zap v1.24.0
go: downloading github.com/go-openapi/analysis v0.21.4
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/go-openapi/loads v0.21.2
go: downloading github.com/go-openapi/spec v0.20.9
go: downloading github.com/fsnotify/fsnotify v1.6.0
go: downloading github.com/spf13/afero v1.9.3
go: downloading github.com/spf13/cast v1.5.0
go: downloading github.com/spf13/jwalterweatherman v1.1.0
go: downloading github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
go: downloading github.com/docker/cli v23.0.1+incompatible
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/klauspost/compress v1.16.0
go: downloading github.com/vbatts/tar-split v0.11.2
go: downloading github.com/docker/distribution v2.8.1+incompatible
go: downloading github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d
go: downloading github.com/docker/docker-credential-helpers v0.7.0
go: downloading github.com/sirupsen/logrus v1.9.0
go: downloading github.com/Azure/go-autorest/autorest/azure/auth v0.5.12
go: downloading github.com/Azure/go-autorest/autorest v0.11.28
go: downloading github.com/Azure/go-autorest v14.2.0+incompatible
go: downloading filippo.io/edwards25519 v1.0.0
go: downloading github.com/go-logr/logr v1.2.3
go: downloading github.com/go-playground/universal-translator v0.18.1
go: downloading github.com/leodido/go-urn v1.2.3
go: downloading golang.org/x/text v0.9.0
go: downloading golang.org/x/net v0.9.0
go: downloading go.uber.org/atomic v1.10.0
go: downloading go.uber.org/multierr v1.9.0
go: downloading github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b
go: downloading github.com/sassoftware/relic v7.2.1+incompatible
go: downloading github.com/subosito/gotenv v1.4.2
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/pelletier/go-toml/v2 v2.0.6
go: downloading github.com/go-openapi/jsonreference v0.20.0
go: downloading github.com/docker/docker v23.0.1+incompatible
go: downloading github.com/opencontainers/image-spec v1.1.0-rc2
go: downloading github.com/aws/aws-sdk-go-v2 v1.17.8
go: downloading github.com/aws/aws-sdk-go-v2/config v1.18.21
go: downloading github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0
go: downloading github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0
go: downloading github.com/aws/smithy-go v1.13.5
go: downloading cloud.google.com/go/compute/metadata v0.2.3
go: downloading cloud.google.com/go/compute v1.19.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0
go: downloading github.com/alibabacloud-go/cr-20160607 v1.0.1
go: downloading github.com/alibabacloud-go/cr-20181201 v1.0.10
go: downloading github.com/alibabacloud-go/darabonba-openapi v0.1.18
go: downloading github.com/alibabacloud-go/tea-utils v1.4.4
go: downloading github.com/alibabacloud-go/tea v1.1.18
go: downloading github.com/aliyun/credentials-go v1.2.3
go: downloading github.com/xanzy/go-gitlab v0.79.1
go: downloading k8s.io/api v0.23.5
go: downloading k8s.io/apimachinery v0.23.5
go: downloading k8s.io/client-go v0.23.5
go: downloading k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
go: downloading github.com/ThalesIgnite/crypto11 v1.2.5
go: downloading github.com/miekg/pkcs11 v1.1.1
go: downloading github.com/Azure/go-autorest/autorest/adal v0.9.21
go: downloading github.com/Azure/go-autorest/autorest/azure/cli v0.4.6
go: downloading github.com/Azure/go-autorest/logger v0.2.1
go: downloading github.com/dimchansky/utfbom v1.1.1
go: downloading github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading github.com/go-playground/locales v0.14.1
go: downloading github.com/golang/protobuf v1.5.3
go: downloading github.com/golang/snappy v0.0.4
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.13.20
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.2
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.3.33
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.12.8
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.8
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.18.9
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32
go: downloading github.com/jmespath/go-jmespath v0.4.0
go: downloading github.com/alibabacloud-go/endpoint-util v1.1.1
go: downloading github.com/alibabacloud-go/openapi-util v0.0.11
go: downloading github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4
go: downloading github.com/alibabacloud-go/tea-xml v1.1.2
go: downloading github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/google/go-github/v45 v45.2.0
go: downloading github.com/google/go-querystring v1.1.0
go: downloading golang.org/x/time v0.3.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/imdario/mergo v0.3.12
go: downloading github.com/thales-e-security/pool v0.0.2
go: downloading github.com/Azure/go-autorest/tracing v0.6.0
go: downloading github.com/Azure/go-autorest/autorest/date v0.3.0
go: downloading github.com/golang-jwt/jwt/v4 v4.5.0
go: downloading github.com/google/go-github/v50 v50.0.0
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.26
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26
go: downloading github.com/tjfoc/gmsm v1.3.2
go: downloading github.com/clbanning/mxj/v2 v2.5.6
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.1
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading github.com/googleapis/gnostic v0.5.5
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/v1.0 imports
	github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0: cannot find module providing package github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0

[asraa]

Included in #579