Bug 1921286 (CVE-2021-21272) - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull
Summary: CVE-2021-21272 oras: zip-slip vulnerability via oras-pull
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-21272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1927753 1927754 1927755 1927756 1927757 1927758 1927759 1927760 1927761 1927762 1927764 1927765 1927766 1927767 1927768 1927769 1930206 1930207 1930208 1930209 1930210 1930235 1930237 1930771 1930772 1930774 1983981
Blocks: 1921287
TreeView+ depends on / blocked
 
Reported: 2021-01-27 20:47 UTC by Pedro Sampaio
Modified: 2022-02-16 04:55 UTC (History)
41 users (show)

Fixed In Version: github.com/deislabs/oras 0.9.0
Clone Of:
Environment:
Last Closed: 2021-08-06 01:06:57 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:02 UTC

Description Pedro Sampaio 2021-01-27 20:47:42 UTC 
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider.

References:

https://github.com/deislabs/oras/commit/96cd90423303f1bb42bd043cb4c36085e6e91e8e
https://github.com/deislabs/oras/releases/tag/v0.9.0
https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
https://pkg.go.dev/github.com/deislabs/oras/pkg/oras
Comment 14 Stoyan Nikolov 2021-02-23 11:34:33 UTC 
Statement:

A vulnerable version of github.com/deislabs/oras package is delivered in listed OpenShift Container Platform (OCP) and OpenShift Container Storage components, but the vulnerable code is not invoked, therefore these components are affected but with impact Low.
Comment 15 Sam Fowler 2021-04-29 05:38:51 UTC 
External References:

https://github.com/deislabs/oras/security/advisories/GHSA-g5v4-5x39-vwhx
Comment 19 errata-xmlrpc 2021-08-06 00:49:59 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 20 Product Security DevOps Team 2021-08-06 01:06:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21272
Note You need to log in before you can comment on or make changes to this bug.