skopeo-1.14.3-2.el9

エラータID: AXSA:2024-8078:02

Release date: 
Friday, May 31, 2024 - 19:53
Subject: 
skopeo-1.14.3-2.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files.

Security Fix(es):

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)

Bug Fix(es):

* TRIAGE CVE-2024-24786 skopeo: golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON [rhel-9] - RHEL 9.4 0day (JIRA:RHEL-28235)
* skopeo: jose-go: improper handling of highly compressed data [rhel-9] (JIRA:RHEL-28736)

CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Solution: 

Update packages.

CVEs: 
CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.


Additional Info: 

N/A

Download: 

SRPMS
  1. skopeo-1.14.3-2.el9.src.rpm
    MD5: 58e4bb13f2785a23669f3a3c6c332896
    SHA-256: a734c2c19df0eb95223eedac84a6a08b56f65f57db3a7acd57683b67875fd4d8
    Size: 9.98 MB

Asianux Server 9 for x86_64
  1. skopeo-1.14.3-2.el9.x86_64.rpm
    MD5: 1221dc327f11a6ffc1697b5c35626617
    SHA-256: b284e1a6b09b23b3e62eb9611787db4131e8d476e05d604d4cdd33bed62f84a1
    Size: 8.55 MB
  2. skopeo-tests-1.14.3-2.el9.x86_64.rpm
    MD5: c35b36308c7690f5cc67ef3e52d79b6e
    SHA-256: 425bda769be3d3f3ba2837d7c627fc905dc9db9b4abef9d6bce8d32b701ab039
    Size: 760.45 kB