2196656 – (CVE-2023-30551) CVE-2023-30551 rekor: compressed archives can result in OOM conditions

Bug 2196656 (CVE-2023-30551) - CVE-2023-30551 rekor: compressed archives can result in OOM conditions

Summary: CVE-2023-30551 rekor: compressed archives can result in OOM conditions

Keywords:
Status:	NEW
Alias:	CVE-2023-30551
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2196653
TreeView+	depends on / blocked

Reported:	2023-05-09 18:16 UTC by juneau
Modified:	2023-08-10 18:31 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Rekor. Versions prior to 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing an APK file submitted to Rekor can also cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description juneau 2023-05-09 18:16:45 UTC

CVE-2023-30551:

Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

Reference:
https://github.com/sigstore/rekor/security/advisories/GHSA-2h5h-59f5-c5x9

Upstream patch:
https://github.com/sigstore/rekor/commit/cf42ace82667025fe128f7a50cf6b4cdff51cc48

Note You need to log in before you can comment on or make changes to this bug.