2264106 – (CVE-2024-1485) CVE-2024-1485 registry-support: decompress can delete files outside scope via relative paths

Bug 2264106 (CVE-2024-1485) - CVE-2024-1485 registry-support: decompress can delete files outside scope via relative paths

Summary: CVE-2024-1485 registry-support: decompress can delete files outside scope via...

Keywords:
Status:	NEW
Alias:	CVE-2024-1485
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2264108
TreeView+	depends on / blocked

Reported:	2024-02-13 21:58 UTC by Nick Tait
Modified:	2024-09-09 19:17 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	askrabec: needinfo+

Attachments	(Terms of Use)

Description Nick Tait 2024-02-13 21:58:36 UTC

This vulnerability affects https://github.com/devfile/registry-support and more specifically as part
of a decompress function where we were reading archived files from a .tar
and writing them to a new location. It was reported to us that the cleaning
function we were using to ensure the file paths could not escape the
directory they were supposed to go to was not working properly. This
allowed somebody to potentially intercept the .tar file as it was being
downloaded by the client and replace it with one that contained relative
file paths. These paths when read by the decompress function would escape
the destination directory and potentially overwrite arbitrary files.

The commit that contains the fix is here:
https://github.com/devfile/registry-support/commit/0e44b9ca6d03fac4fc3f77d37656d56dc5defe0d

Note You need to log in before you can comment on or make changes to this bug.