2196656 – (CVE-2023-30551) CVE-2023-30551 rekor: compressed archives can result in OOM conditions

Bug 2196656 (CVE-2023-30551) - CVE-2023-30551 rekor: compressed archives can result in OOM conditions

Summary: CVE-2023-30551 rekor: compressed archives can result in OOM conditions

Keywords:
Status:	NEW
Alias:	CVE-2023-30551
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Sayan Biswas
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2196653
TreeView+	depends on / blocked

Reported:	2023-05-09 18:16 UTC by juneau
Modified:	2024-05-02 18:49 UTC (History)
CC List:	25 users (show)
Fixed In Version:	rekor 1.1.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Rekor. Versions prior to 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing an APK file submitted to Rekor can also cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7198	0	None	None	None	2024-02-27 20:49:19 UTC
Red Hat Product Errata	RHSA-2023:7323	0	None	None	None	2023-11-21 11:28:23 UTC

Description juneau 2023-05-09 18:16:45 UTC

CVE-2023-30551:

Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

Reference:
https://github.com/sigstore/rekor/security/advisories/GHSA-2h5h-59f5-c5x9

Upstream patch:
https://github.com/sigstore/rekor/commit/cf42ace82667025fe128f7a50cf6b4cdff51cc48

Comment 6 errata-xmlrpc 2023-11-21 11:28:21 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:7323 https://access.redhat.com/errata/RHSA-2023:7323

Comment 7 errata-xmlrpc 2024-02-27 20:49:17 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Note You need to log in before you can comment on or make changes to this bug.

apjagtap
asatyam
bdettelb
dfreiber
dhanak
diagrawa
dsimansk
dymurray
jburrell
jmatthew
kshier
kverlaen
lball
matzew
mnovotny
nweather
rguimara
rhuss
rjohnson
rogbas
skontopo
stcannon
vkumar
whayutin
yguenane