Advisories for Golang/Github.com/Chainguard-Dev/Malcontent package

Several extraction and scanning code paths registered late defers which could leak resources and exhaust system resources. This report is an aggregate of these individual reports for the affected code: Advisory | Affected File – | – GHSA-jjgh-mc5q-gch7 | pkg/action/scan.go GHSA-mwmf-fxh2-w4x7 | pkg/archive/deb.go GHSA-p8j3-rpf5-gwv3 | pkg/archive/gzip.go GHSA-qfh4-7f5v-75gq | pkg/archive/zlib.go GHSA-wxxf-r586-5rf5 | pkg/archive/bzip2.go Fix: #1354, #1355, #1356, #1361 Acknowledgements Thank you to Oleh Konko from 1seal for discovering and reporting all …

Previously, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Fix: https://github.com/chainguard-dev/malcontent/pull/1383 Acknowledgements malcontent thanks Oleh Konko from 1seal for discovering and reporting this issue.

malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The handleSymlink function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory.

Malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. Malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a WWW-Authenticate header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Fix: Default to anonymous auth for OCI pulls Acknowledgements Thank you to Oleh Konko …