Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tNW0zLTQ2Z2otd2NoOM4AAvLn

SIF's Digital Signature Hash Algorithms Not Validated

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

• CVE-2004-2761
• CVE-2005-4900

For more information

If you have any questions or comments about this advisory:

• Open an issue in github.com/sylabs/sif
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-m5m3-46gj-wch8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNW0zLTQ2Z2otd2NoOM4AAvLn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago

CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Percentage: 0.00212
EPSS Percentile: 0.5872

Identifiers: GHSA-m5m3-46gj-wch8, CVE-2022-39237
References:

• https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
• https://nvd.nist.gov/vuln/detail/CVE-2022-39237
• https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
• https://github.com/sylabs/sif/releases/tag/v2.8.1
• https://nvd.nist.gov/vuln/detail/cve-2004-2761
• https://nvd.nist.gov/vuln/detail/cve-2005-4900
• https://security.gentoo.org/glsa/202210-19
• https://pkg.go.dev/vuln/GO-2022-1045
• https://github.com/advisories/GHSA-m5m3-46gj-wch8

Repository: https://github.com/sylabs/sif
Blast Radius: 16.7

Affected Packages