x/vulndb: add reports/GO-2022-0379.yaml for GHSA-qq97-vm5h-rrhg

Fixes #379 Change-Id: I6367754867a8a3d1522df7b5cd400a24affea6fd Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/416557 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Tatiana Bradley <[email protected]> Run-TryBot: Damien Neil <[email protected]>
golang · Jul 29, 2022 · 8f81509 · 8f81509
1 parent 2fd71c9
commit 8f81509
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/reports/GO-2022-0379.yaml b/reports/GO-2022-0379.yaml
@@ -0,0 +1,22 @@
+packages:
+  - module: github.com/docker/distribution
+    symbols:
+      - UnmarshalManifest
+    versions:
+      - fixed: 2.8.0+incompatible
+    vulnerable_at: 2.7.1+incompatible
+description: |
+    Systems that rely on digest equivalence for image attestations may be
+    vulnerable to type confusion.
+
+    A maliciously crafted OCI Container Image can cause registry clients to
+    parse the same image in two different ways without modifying the image's
+    digest, invalidating the common pattern of relying on container image
+    digests for equivalence.
+
+    This problem has been addressed in newer versions by improving validation
+    in manifest unmarshaling.
+ghsas:
+  - GHSA-qq97-vm5h-rrhg
+links:
+    commit: https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586