From 74b714ba1a7377b8a381c07e772723e7ebcaac3d Mon Sep 17 00:00:00 2001 From: Vibhav Bobade Date: Wed, 6 May 2026 20:13:41 +0530 Subject: [PATCH] [GHSA-rmx9-2pp3-xhcr] Add multi-branch patch ranges for Tekton Pipelines VerificationPolicy regex pattern bypass via substring matching (CVE-2026-25542) was patched across five maintained LTS branches on April 21, 2026, but the OSV entry here collapses the fix into a single range. Users on patched LTS releases (v1.0.2, v1.3.4, v1.6.2, v1.9.3) are incorrectly flagged as vulnerable by dependency tooling. Updated to use one OSV range per branch so each patched version is recognized as fixed: v1.0.2, v1.3.4, v1.6.2, v1.9.3, v1.11.1. Source: https://github.com/tektoncd/pipeline/security/advisories/GHSA-rmx9-2pp3-xhcr --- .../GHSA-rmx9-2pp3-xhcr.json | 86 +++++++++++++++++-- 1 file changed, 81 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2026/04/GHSA-rmx9-2pp3-xhcr/GHSA-rmx9-2pp3-xhcr.json b/advisories/github-reviewed/2026/04/GHSA-rmx9-2pp3-xhcr/GHSA-rmx9-2pp3-xhcr.json index 107d10fd71a6e..b42bd345b40d9 100644 --- a/advisories/github-reviewed/2026/04/GHSA-rmx9-2pp3-xhcr/GHSA-rmx9-2pp3-xhcr.json +++ b/advisories/github-reviewed/2026/04/GHSA-rmx9-2pp3-xhcr/GHSA-rmx9-2pp3-xhcr.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-rmx9-2pp3-xhcr", - "modified": "2026-04-27T16:15:24Z", + "modified": "2026-05-05T10:00:00Z", "published": "2026-04-21T16:25:19Z", "aliases": [ "CVE-2026-25542" ], "summary": "Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching", - "details": "## Summary\n\nThe Trusted Resources verification system matches a resource source string (`refSource.URI`) against `spec.resources[].pattern` using Go's `regexp.MatchString`. In Go, `regexp.MatchString` reports a match if the pattern matches **anywhere** in the input string. As a result, common unanchored patterns—including examples found in Tekton documentation—can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This may cause an unintended policy match and alter which verification mode or keys are applied.\n\n## Affected Component\n\n- **Repository:** \n- **Commit:** `0133513db03dadb3cb08301d6b0330badcb63830`\n- **Call site:** `pkg/trustedresources/verify.go:118–137` (`getMatchedPolicies`)\n\n## Impact\n\nAn attacker can craft a Trusted Resources source string that embeds a trusted substring and still matches an unanchored `VerificationPolicy` `spec.resources[].pattern`, even if the policy is intended to constrain matches to a specific trusted source. This occurs because `regexp.MatchString` succeeds on substring matches. For example, a pattern such as `https://github.com/tektoncd/catalog.git` would match an attacker-controlled source like `https://evil.com/?x=https://github.com/tektoncd/catalog.git`.\n\n**Affected:** Deployments using Trusted Resources verification with unanchored `VerificationPolicy` patterns, where an attacker can influence the `refSource.URI` value used for policy matching.\n\n**Not affected:** Deployments that anchor all patterns (`^...$`) or otherwise enforce full-string matching; deployments where attackers cannot influence `refSource.URI`.\n\n## Reproduction\n\n### Canonical (Demonstrates Vulnerability)\n\n```bash\nunzip -q -o poc.zip -d /tmp/poc-tekton-regex-001\ncd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001\nbash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log\n```\n\n- **Expected (secure):** Capability not reached; canonical does not emit vulnerability markers.\n- **Actual (vulnerable):** Capability reached; canonical emits vulnerability markers.\n- **Canonical markers (mandatory):** `[CALLSITE_HIT]` + `[PROOF_MARKER]`\n\n### Negative Control\n\n```bash\nbash ./run.sh control | tee /tmp/tekton-regex-001-control.log\n```\n\n- **Expected:** Capability not reached under the same harness; control emits the control marker and does not emit vulnerability markers.\n- **Control markers (mandatory):** `[CALLSITE_HIT]` + `[NC_MARKER]`\n\n### Verification\n\n```bash\ngrep -n '\\[PROOF_MARKER\\]' /tmp/tekton-regex-001-canonical.log \\\n && grep -n '\\[NC_MARKER\\]' /tmp/tekton-regex-001-control.log \\\n && ! grep -n '\\[PROOF_MARKER\\]' /tmp/tekton-regex-001-control.log\n```\n\n## Suggested Fix\n\nIt is recommended to make matching safe-by-default by requiring full-string matches, or by validating patterns and clearly documenting substring semantics. Possible approaches include:\n\n1. **Anchor patterns before matching** — e.g., wrap `pattern` as `^(?:pattern)$` when not already anchored.\n2. **Introduce a separate field** for exact match vs. regex match semantics.\n3. **Document substring semantics explicitly** and update all documentation examples to include anchors.\n\nA fix is considered accepted when, under the same harness, the canonical test still hits `[CALLSITE_HIT]` but **does not** emit `[PROOF_MARKER]`.\n\n## Workarounds\n\nAnchor all `VerificationPolicy` resource patterns so they must match the full source string. For example:\n\n```yaml\npattern: \"^https://github\\\\.com/tektoncd/catalog\\\\.git$\"\n```\n\n## Proof Bundle\n\n- **Bundle:** [poc.zip](https://github.com/user-attachments/files/24833926/poc.zip)\n- **Convention:** The zip extracts under a single top-level folder (`poc-F-TEKTON-REGEX-001/`) to avoid collisions.\n- **Contains:** `canonical.log`, `control.log`, `witness.txt`\n- **Extracted paths:** `./poc/poc-F-TEKTON-REGEX-001/canonical.log`, `./poc/poc-F-TEKTON-REGEX-001/control.log`, `./poc/poc-F-TEKTON-REGEX-001/witness.txt`\n- **Integrity verification:** Compare `shasum -a 256` for `canonical.log`, `control.log`, `fix.patch`, and test source against `witness.txt`.\n\n> **Note:** If a supported integration uses verified HTTPS app-links or universal links only, provide the supported tag or branch and retesting on that pin can be arranged.", + "details": "## Summary\n\nThe Trusted Resources verification system matches a resource source string (`refSource.URI`) against `spec.resources[].pattern` using Go's `regexp.MatchString`. In Go, `regexp.MatchString` reports a match if the pattern matches **anywhere** in the input string. As a result, common unanchored patterns\u2014including examples found in Tekton documentation\u2014can be bypassed by attacker-controlled source strings that contain the trusted pattern as a substring. This may cause an unintended policy match and alter which verification mode or keys are applied.\n\n## Affected Component\n\n- **Repository:** \n- **Commit:** `0133513db03dadb3cb08301d6b0330badcb63830`\n- **Call site:** `pkg/trustedresources/verify.go:118\u2013137` (`getMatchedPolicies`)\n\n## Impact\n\nAn attacker can craft a Trusted Resources source string that embeds a trusted substring and still matches an unanchored `VerificationPolicy` `spec.resources[].pattern`, even if the policy is intended to constrain matches to a specific trusted source. This occurs because `regexp.MatchString` succeeds on substring matches. For example, a pattern such as `https://github.com/tektoncd/catalog.git` would match an attacker-controlled source like `https://evil.com/?x=https://github.com/tektoncd/catalog.git`.\n\n**Affected:** Deployments using Trusted Resources verification with unanchored `VerificationPolicy` patterns, where an attacker can influence the `refSource.URI` value used for policy matching.\n\n**Not affected:** Deployments that anchor all patterns (`^...$`) or otherwise enforce full-string matching; deployments where attackers cannot influence `refSource.URI`.\n\n## Reproduction\n\n### Canonical (Demonstrates Vulnerability)\n\n```bash\nunzip -q -o poc.zip -d /tmp/poc-tekton-regex-001\ncd /tmp/poc-tekton-regex-001/poc-F-TEKTON-REGEX-001\nbash ./run.sh canonical | tee /tmp/tekton-regex-001-canonical.log\n```\n\n- **Expected (secure):** Capability not reached; canonical does not emit vulnerability markers.\n- **Actual (vulnerable):** Capability reached; canonical emits vulnerability markers.\n- **Canonical markers (mandatory):** `[CALLSITE_HIT]` + `[PROOF_MARKER]`\n\n### Negative Control\n\n```bash\nbash ./run.sh control | tee /tmp/tekton-regex-001-control.log\n```\n\n- **Expected:** Capability not reached under the same harness; control emits the control marker and does not emit vulnerability markers.\n- **Control markers (mandatory):** `[CALLSITE_HIT]` + `[NC_MARKER]`\n\n### Verification\n\n```bash\ngrep -n '\\[PROOF_MARKER\\]' /tmp/tekton-regex-001-canonical.log \\\n && grep -n '\\[NC_MARKER\\]' /tmp/tekton-regex-001-control.log \\\n && ! grep -n '\\[PROOF_MARKER\\]' /tmp/tekton-regex-001-control.log\n```\n\n## Suggested Fix\n\nIt is recommended to make matching safe-by-default by requiring full-string matches, or by validating patterns and clearly documenting substring semantics. Possible approaches include:\n\n1. **Anchor patterns before matching** \u2014 e.g., wrap `pattern` as `^(?:pattern)$` when not already anchored.\n2. **Introduce a separate field** for exact match vs. regex match semantics.\n3. **Document substring semantics explicitly** and update all documentation examples to include anchors.\n\nA fix is considered accepted when, under the same harness, the canonical test still hits `[CALLSITE_HIT]` but **does not** emit `[PROOF_MARKER]`.\n\n## Workarounds\n\nAnchor all `VerificationPolicy` resource patterns so they must match the full source string. For example:\n\n```yaml\npattern: \"^https://github\\\\.com/tektoncd/catalog\\\\.git$\"\n```\n\n## Proof Bundle\n\n- **Bundle:** [poc.zip](https://github.com/user-attachments/files/24833926/poc.zip)\n- **Convention:** The zip extracts under a single top-level folder (`poc-F-TEKTON-REGEX-001/`) to avoid collisions.\n- **Contains:** `canonical.log`, `control.log`, `witness.txt`\n- **Extracted paths:** `./poc/poc-F-TEKTON-REGEX-001/canonical.log`, `./poc/poc-F-TEKTON-REGEX-001/control.log`, `./poc/poc-F-TEKTON-REGEX-001/witness.txt`\n- **Integrity verification:** Compare `shasum -a 256` for `canonical.log`, `control.log`, `fix.patch`, and test source against `witness.txt`.\n\n> **Note:** If a supported integration uses verified HTTPS app-links or universal links only, provide the supported tag or branch and retesting on that pin can be arranged.", "severity": [ { "type": "CVSS_V3", @@ -28,7 +28,83 @@ "introduced": "0.43.0" }, { - "fixed": "1.11.0" + "fixed": "1.0.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/tektoncd/pipeline" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.1.0" + }, + { + "fixed": "1.3.4" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/tektoncd/pipeline" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.4.0" + }, + { + "fixed": "1.6.2" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/tektoncd/pipeline" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.7.0" + }, + { + "fixed": "1.9.3" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/tektoncd/pipeline" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.10.0" + }, + { + "fixed": "1.11.1" } ] } @@ -58,7 +134,7 @@ }, { "type": "WEB", - "url": "https://github.com/tektoncd/pipeline/releases/tag/v1.11.0" + "url": "https://github.com/tektoncd/pipeline/releases/tag/v1.11.1" } ], "database_specific": { @@ -70,4 +146,4 @@ "github_reviewed_at": "2026-04-21T16:25:19Z", "nvd_published_at": "2026-04-21T17:16:24Z" } -} \ No newline at end of file +}