Bug 1202157 (CVE-2022-35929) - VUL-0: CVE-2022-35929: cosign: possible false positive verification if any attestation exists
Summary: VUL-0: CVE-2022-35929: cosign: possible false positive verification if any at...
Status: RESOLVED FIXED
Alias: CVE-2022-35929
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/338919/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-35929:6.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-05 06:29 UTC by Robert Frohl
Modified: 2024-06-05 13:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-08-05 06:29:26 UTC 
CVE-2022-35929

cosign is a container signing and verification utility. In versions prior to
1.10.1 cosign can report a false positive if any attestation exists. `cosign
verify-attestation` used with the `--type` flag will report a false positive
verification when there is at least one attestation with a valid signature and
there are NO attestations of the type being verified (--type defaults to
"custom"). This can happen when signing with a standard keypair and with
"keyless" signing with Fulcio. This vulnerability can be reproduced with the
`distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`
image. This image has a `vuln` attestation but not an `spdx` attestation.
However, if you run `cosign verify-attestation --type=spdx` on this image, it
incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign.
Users are advised to upgrade. There are no known workarounds for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35929
https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94
https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296
Comment 1 Robert Frohl 2022-08-05 06:44:59 UTC 
tracking as affected

- SUSE:SLE-15-SP4:Update/cosign
Comment 3 OBSbugzilla Bot 2022-08-05 16:40:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1202157) was mentioned in
https://build.opensuse.org/request/show/993342 Factory / cosign
Comment 4 Swamp Workflow Management 2022-08-23 16:17:59 UTC 
SUSE-SU-2022:2877-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (important)
Bug References: 1202157
CVE References: CVE-2022-35929
JIRA References: SLE-23879
Sources used:
openSUSE Leap 15.4 (src):    cosign-1.10.1-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    cosign-1.10.1-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Alexander Bergmann 2024-06-05 13:36:33 UTC 
Fixed and released.