Bug 2196656 (CVE-2023-30551)

Summary: CVE-2023-30551 rekor: compressed archives can result in OOM conditions
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apjagtap, asatyam, bdettelb, dfreiber, dhanak, diagrawa, dsimansk, dymurray, jburrell, jmatthew, kshier, kverlaen, lball, matzew, mnovotny, nweather, rguimara, rhuss, rjohnson, rogbas, skontopo, stcannon, vkumar, whayutin, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rekor 1.1.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Rekor. Versions prior to 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing an APK file submitted to Rekor can also cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2196653    

Description juneau 2023-05-09 18:16:45 UTC 
CVE-2023-30551:

Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

Reference:
https://github.com/sigstore/rekor/security/advisories/GHSA-2h5h-59f5-c5x9

Upstream patch:
https://github.com/sigstore/rekor/commit/cf42ace82667025fe128f7a50cf6b4cdff51cc48
Comment 6 errata-xmlrpc 2023-11-21 11:28:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:7323 https://access.redhat.com/errata/RHSA-2023:7323
Comment 7 errata-xmlrpc 2024-02-27 20:49:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198