The directory support (#55) allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links.
A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs oras pull
.
Precisely, the following users of the affected versions are impacted
- oras
CLI users who runs oras pull
.
- Go programs, which invokes github.com/deislabs/oras/pkg/content.FileStore
.
The problem has been patched by the PR linked with this advisory. Users should upgrade their oras
CLI and packages to 0.9.0
.
For oras
CLI users, there is no workarounds other than pulling from a trusted artifact provider.
For oras
package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore
, and use other content stores instead, or pull from a trusted artifact provider.
If you have any questions or comments about this advisory: * Open an issue on the GitHub repo * Email the list of maintainers
{ "nvd_published_at": "2021-01-25T19:15:00Z", "github_reviewed_at": "2021-05-21T14:42:50Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-22", "CWE-59" ] }