Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] (release-1.13) #315

Open
wants to merge 1 commit into
base: release-1.13
Choose a base branch
from
Open

chore(deps): update module github.com/go-jose/go-jose/v3 to v3.0.3 [security] (release-1.13) #315

wants to merge 1 commit into from

Conversation

phisco-renovate[bot]
Copy link

@phisco-renovate phisco-renovate bot commented Jul 26, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/go-jose/go-jose/v3 indirect patch v3.0.0 -> v3.0.3

Decryption of malicious PBES2 JWE objects can consume unbounded system resources

GHSA-2c7c-3mj9-8fqh / GO-2023-2334

More information

Details

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Denial of service via decryption of malicious PBES2 JWE objects in github.com/go-jose/go-jose/v3

GHSA-2c7c-3mj9-8fqh / GO-2023-2334

More information

Details

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Decompression bomb vulnerability in github.com/go-jose/go-jose

CGA-9vf9-m4f8-6392 / CGA-9vg5-h493-cxr7 / CGA-chh8-vhg4-2qj7 / CGA-g5hx-8r47-pf39 / CGA-hmfp-f3v3-528v / CGA-hrqx-74pg-5m88 / CGA-m474-c57g-8945 / CGA-r356-23m2-5p37 / CGA-v3wf-pwmr-vcw5 / CGA-w52c-j6q8-cf23 / CGA-w7jq-8v28-882j / CVE-2024-28180 / GHSA-c5q2-7r4c-mv6g / GO-2024-2631

More information

Details

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)

CGA-9vf9-m4f8-6392 / CGA-9vg5-h493-cxr7 / CGA-chh8-vhg4-2qj7 / CGA-g5hx-8r47-pf39 / CGA-hmfp-f3v3-528v / CGA-hrqx-74pg-5m88 / CGA-m474-c57g-8945 / CGA-r356-23m2-5p37 / CGA-v3wf-pwmr-vcw5 / CGA-w52c-j6q8-cf23 / CGA-w7jq-8v28-882j / CVE-2024-28180 / GHSA-c5q2-7r4c-mv6g / GO-2024-2631

More information

Details

Impact

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@​zer0yu and @​chenjj) for reporting.

Patches

The problem is fixed in the following packages and versions:

  • github.com/go-jose/go-jose/v4 version 4.0.1
  • github.com/go-jose/go-jose/v3 version 3.0.3
  • gopkg.in/go-jose/go-jose.v2 version 2.6.3

The problem will not be fixed in the following package because the package is archived:

  • gopkg.in/square/go-jose.v2

Severity

  • CVSS Score: 4.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-jose/go-jose (github.com/go-jose/go-jose/v3)

v3.0.3: Version 3.0.3

Compare Source

Fixed

  • Limit decompression output size to prevent a DoS. Backport from v4.0.1.

v3.0.2

Compare Source

Fixed

  • DecryptMulti: handle decompression error (#​19)

Changed

  • jwe/CompactSerialize: improve performance (#​67)
  • Increase the default number of PBKDF2 iterations to 600k (#​48)
  • Return the proper algorithm for ECDSA keys (#​45)

Added

  • Add Thumbprint support for opaque signers (#​38)

v3.0.1

Compare Source

Fixed

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@phisco-renovate
Copy link
Author

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.mod
Command failed: install-tool golang $(grep -oP "^toolchain go\K.+" go.mod)
File name: go.mod
Command failed: make generate
go: downloading golang.org/x/sys v0.17.0
go: downloading golang.org/x/term v0.17.0
go: downloading github.com/docker/docker v24.0.4+incompatible
go: downloading github.com/go-jose/go-jose/v3 v3.0.3
go: downloading golang.org/x/crypto v0.19.0
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xa07b8f]

goroutine 152 [running]:
go/types.(*Checker).handleBailout(0xc001a98200, 0xc000c37d40)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/check.go:367 +0x88
panic({0xbbe580?, 0x12a74b0?})
	/opt/containerbase/tools/golang/1.22.5/src/runtime/panic.go:770 +0x132
go/types.(*StdSizes).Sizeof(0x0, {0xdb81d8, 0x12afc80})
	/opt/containerbase/tools/golang/1.22.5/src/go/types/sizes.go:228 +0x30f
go/types.(*Config).sizeof(...)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/sizes.go:333
go/types.representableConst.func1({0xdb81d8?, 0x12afc80?})
	/opt/containerbase/tools/golang/1.22.5/src/go/types/const.go:76 +0x9e
go/types.representableConst({0xdbe530, 0x127ac80}, 0xc001a98200, 0x12afc80, 0x0)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/const.go:92 +0x192
go/types.(*Checker).arrayLength(0xc001a98200, {0xdbc7d8, 0xc001a81440?})
	/opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:510 +0x2d3
go/types.(*Checker).typInternal(0xc001a98200, {0xdbadf8, 0xc001a82c60}, 0x0)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:299 +0x49d
go/types.(*Checker).definedType(0xc001a98200, {0xdbadf8, 0xc001a82c60}, 0xc000c37328?)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:180 +0x37
go/types.(*Checker).varType(0xc001a98200, {0xdbadf8, 0xc001a82c60})
	/opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:145 +0x25
go/types.(*Checker).structType(0xc001a98200, 0xc001aa0360, 0xc001aa0360?)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/struct.go:113 +0x19f
go/types.(*Checker).typInternal(0xc001a98200, {0xdbad68, 0xc001847c08}, 0xc001a9b680)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:316 +0x1345
go/types.(*Checker).definedType(0xc001a98200, {0xdbad68, 0xc001847c08}, 0xc8786d?)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:180 +0x37
go/types.(*Checker).typeDecl(0xc001a98200, 0xc001a9b680, 0xc001a8a400, 0x0)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/decl.go:615 +0x44d
go/types.(*Checker).objDecl(0xc001a98200, {0xdc3a80, 0xc001a9b680}, 0x0)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/decl.go:197 +0xa7f
go/types.(*Checker).packageObjects(0xc001a98200)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/resolver.go:681 +0x425
go/types.(*Checker).checkFiles(0xc001a98200, {0xc001858ee8, 0x3, 0x3})
	/opt/containerbase/tools/golang/1.22.5/src/go/types/check.go:408 +0x1a5
go/types.(*Checker).Files(...)
	/opt/containerbase/tools/golang/1.22.5/src/go/types/check.go:372
sigs.k8s.io/controller-tools/pkg/loader.(*loader).typeCheck(0xc0002ad440, 0xc0002197e0)
	/home/ubuntu/go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/loader.go:286 +0x36a
sigs.k8s.io/controller-tools/pkg/loader.(*Package).NeedTypesInfo(0xc0002197e0)
	/home/ubuntu/go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/loader.go:99 +0x39
sigs.k8s.io/controller-tools/pkg/loader.(*TypeChecker).check(0xc00081b140, 0xc0002197e0)
	/home/ubuntu/go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/refs.go:268 +0x2b7
sigs.k8s.io/controller-tools/pkg/loader.(*TypeChecker).check.func1(0x4a?)
	/home/ubuntu/go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/refs.go:262 +0x53
created by sigs.k8s.io/controller-tools/pkg/loader.(*TypeChecker).check in goroutine 123
	/home/ubuntu/go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/refs.go:260 +0x1c5
exit status 2
apis/generate.go:45: running "go": exit status 1
make[1]: *** [build/makelib/golang.mk:240: go.generate] Error 1
make: *** [build/makelib/common.mk:434: generate] Error 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
automated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants