GHSA-88cv-mj24-8w3q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-88cv-mj24-8w3q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-88cv-mj24-8w3q/GHSA-88cv-mj24-8w3q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-88cv-mj24-8w3q
- Aliases
- Published
- 2022-09-21T17:00:12Z
- Modified
- 2023-11-08T04:10:15.515035Z
- Severity
-
- 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm.
- Details
-
Impact
Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious "payload compressor" field.
This vulnerability impacts the
extractandfilesmethods of theRPM::Fileclass in the affected versions of this library.Patches
Version 0.0.12 is available with a fix for these issues.
Workarounds
When using an affected version of this library (arr-pm), ensure any RPMs being processed contain valid/known payload compressor values. Such values include: gzip, bzip2, xz, zstd, and lzma.
You can check the payload compressor field in an rpm by using the rpm command line tool. For example:
% rpm -qp example-1.0-1.x86_64.rpm --qf "%{PAYLOADCOMPRESSOR}\n" gzipImpact on known dependent projects
This library is used by fpm. The vulnerability may impact fpm only when using the flag
-s rpmor--input-type rpmto convert a malicious rpm to another format. It does not impact creating rpms.References
- https://github.com/jordansissel/ruby-arr-pm/pull/14
- https://github.com/jordansissel/ruby-arr-pm/pull/15
Credit
Thanks to @joernchen for reporting this problem and contributing to the resolution :)
For more information
If you have any questions or comments about this advisory: * Open an issue in the arr-pm issue tracker
- Database specific
{ "nvd_published_at": "2022-09-21T23:15:00Z", "github_reviewed_at": "2022-09-21T17:00:12Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-78" ] }- References
-
- https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q
- https://nvd.nist.gov/vuln/detail/CVE-2022-39224
- https://github.com/jordansissel/ruby-arr-pm/pull/14
- https://github.com/jordansissel/ruby-arr-pm/pull/15
- https://github.com/jordansissel/ruby-arr-pm
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/arr-pm/CVE-2022-39224.yml
Affected packages
RubyGems / arr-pm
Package
- Name
- arr-pm
- Purl
- pkg:gem/arr-pm