[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-41190 OCI distribution and image spec: "content-type" confusion
From:       Vincent Batts <vbatts () hashbangbash ! com>
Date:       2021-11-19 15:18:20
Message-ID: 20211119151820.cge3zrsfcsh4y4go () sshbastion
[Download RAW message or body]


Severity: MEDIUM (moderate in Github GHSA)

Description:

The specifications themselves needed additional clarification so that
implementations of container registries, and the clients that parse data
received from registries can have more securely defined behavior.

The undefined behavior this advisory addresses is a "type confusion"
where a JSON document for a container's manifest could masquerade as
both an image-index or a manifest without modification to the digest,
relying only on the HTTP `Content-type` header provided by the registry.

This behavior would have been mitigated by the presence of the
`mediaType` field in these JSON documents. As such a notable, but
non-breaking change introduced in these releases is un-reserving the
`mediaType` field for use, and actively encouraging it's use.

Advisory links:
- https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
- https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190
- https://groups.google.com/a/opencontainers.org/g/dev/c/ugWJ5ujnqV8/m/Yot9yHkGAAAJ

Release links:
- https://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1
- https://github.com/opencontainers/image-spec/releases/tag/v1.0.2

Workarounds:

Software attempting to deserialize an ambiguous document may reject the
document if it contains both "manifests" and "layers" fields or
"manifests" and "config" fields.

Expect releases of container clients that can fetch from registries, as
well as registries themselves.



["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]