Date: Fri, 19 Nov 2021 10:18:20 -0500 From: Vincent Batts <vbatts@...hbangbash.com> To: oss-security@...ts.openwall.com Subject: CVE-2021-41190 OCI distribution and image spec: "content-type" confusion Severity: MEDIUM (moderate in Github GHSA) Description: The specifications themselves needed additional clarification so that implementations of container registries, and the clients that parse data received from registries can have more securely defined behavior. The undefined behavior this advisory addresses is a "type confusion" where a JSON document for a container's manifest could masquerade as both an image-index or a manifest without modification to the digest, relying only on the HTTP `Content-type` header provided by the registry. This behavior would have been mitigated by the presence of the `mediaType` field in these JSON documents. As such a notable, but non-breaking change introduced in these releases is un-reserving the `mediaType` field for use, and actively encouraging it's use. Advisory links: - https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m - https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190 - https://groups.google.com/a/opencontainers.org/g/dev/c/ugWJ5ujnqV8/m/Yot9yHkGAAAJ Release links: - https://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1 - https://github.com/opencontainers/image-spec/releases/tag/v1.0.2 Workarounds: Software attempting to deserialize an ambiguous document may reject the document if it contains both “manifests” and “layers” fields or “manifests” and “config” fields. Expect releases of container clients that can fetch from registries, as well as registries themselves. Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.