CVE-2024-51491: 
Chainguard vulnerability analysis and mitigation

notion-go is a collection of libraries for supporting sign and verify OCI artifacts based on Notary Project specifications. The vulnerability (CVE-2024-51491) was identified during Quarkslab's security audit of the Certificate Revocation List (CRL) based revocation check feature. The issue affects versions up to 1.3.0-rc.1 and has been patched in version 1.3.0-rc.2. The vulnerability was discovered when notation-go attempts to update the CRL cache using the os.Rename method, which can fail due to operating system-specific limitations when source and destination paths are on different mount points (GitHub Advisory).

The vulnerability occurs in the crl.(*FileCache).Set method, where a temporary file is created in the OS dedicated area (like /tmp for Linux/Unix systems). The file is then attempted to be moved to the dedicated notation cache directory using os.Rename. According to Go documentation and Linux libc specifications, moving a file to a different mountpoint raises an EXDEV error (Cross device link not permitted). This becomes particularly problematic on Linux distributions like RedHat that use a dedicated filesystem (tmpfs) mounted on a specific mountpoint for temporary files (GitHub Advisory, Linux Manual).

When the vulnerability is triggered, the signature verification process is aborted as the process crashes. This occurs specifically when using operating systems that have separate mount points for temporary files, and when performing revocation checks based on CRL (GitHub Advisory).

The issue has been addressed in version 1.3.0-rc.2. The fix involves modifying the cache file handling process so that files are created, written, then copied to the final location, and finally removed. Additionally, the error handling has been improved to prevent crashes and allow the program to continue execution properly. Users are advised to upgrade to version 1.3.0-rc.2 or later (GitHub Advisory).