Bug 2264106 (CVE-2024-1485) - CVE-2024-1485 registry-support: decompress can delete files outside scope via relative paths
Summary: CVE-2024-1485 registry-support: decompress can delete files outside scope via...
Keywords:
Status: NEW
Alias: CVE-2024-1485
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2264108
TreeView+ depends on / blocked
 
Reported: 2024-02-13 21:58 UTC by Nick Tait
Modified: 2024-03-15 22:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Nick Tait 2024-02-13 21:58:36 UTC 
This vulnerability affects https://github.com/devfile/registry-support and more specifically as part
of a decompress function where we were reading archived files from a .tar
and writing them to a new location. It was reported to us that the cleaning
function we were using to ensure the file paths could not escape the
directory they were supposed to go to was not working properly. This
allowed somebody to potentially intercept the .tar file as it was being
downloaded by the client and replace it with one that contained relative
file paths. These paths when read by the decompress function would escape
the destination directory and potentially overwrite arbitrary files.

The commit that contains the fix is here:
https://github.com/devfile/registry-support/commit/0e44b9ca6d03fac4fc3f77d37656d56dc5defe0d
Note You need to log in before you can comment on or make changes to this bug.