Mtrmac

**Name of the Vulnerable Software and Affected Versions** Cosign versions prior to 1.5.2 **Description** The issue allows an attacker to manipulate Cosign into claiming that a signature exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI and can occur with both standard signing using a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate Cosign into believing the entry was stored in Rekor even though it was not. The vulnerability has been patched in version 1.5.2 of Cosign, where the `signature` in the `signedEntryTimestamp` provided by Rekor is now compared to the `signature` being verified, returning an error if they do not match. **Recommendations** For versions prior to 1.5.2, upgrade to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the signature in OCI to minimize the risk of exploitation. Avoid using the `dev.sigstore.cosign/bundle` annotation in the signature image until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** proglottis Go wrapper versions prior to 0.1.1 **Description** The issue is related to a use-after-free problem, which can cause a crash or potentially allow code execution during GPG signature verification. This is due to improper memory management, where memory passed to C may be freed before it is used, leading to crashes or possible code execution. **Recommendations** For proglottis Go wrapper versions prior to 0.1.1, update to version 0.1.1 or later to resolve the issue. As a temporary workaround, consider disabling GPG signature verification until a patch is available. Restrict access to the GPGME library to minimize the risk of exploitation. Avoid using the proglottis Go wrapper for container image pulls by Docker or CRI-O until the issue is resolved.