Описание
melange's world-writable permissions expose SBOM files to potential image tampering
It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666:
This issue was introduced in commit 1b272db ("Persist workspace filesystem throughout package builds (#1836)") (v0.23.0).
Impact
This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances.
Patches
This issue was addressed in melange in e29494b ("fix: tighten up permissions for written SBOM files and signature tarballs (#2086)") (v0.29.5).
Acknowledgements
Thanks to Cody Harris H2O.ai and Markus Boehme for independently reporting this issue.
Ссылки
- https://github.com/chainguard-dev/melange/security/advisories/GHSA-5662-cv6m-63wh
- https://nvd.nist.gov/vuln/detail/CVE-2025-54059
- https://github.com/chainguard-dev/melange/pull/1836
- https://github.com/chainguard-dev/melange/pull/2086
- https://github.com/chainguard-dev/melange/commit/1b272db2a0bb3441553284cc56d87236b4b64c04
- https://github.com/chainguard-dev/melange/commit/e29494b4a40a91619ec1c87a09003c6d5164cea1
- https://github.com/chainguard-dev/melange/releases/tag/v0.29.5
Пакеты
chainguard.dev/melange
>= 0.23.0, < 0.29.5
0.29.5
Связанные уязвимости
melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue.