Описание
arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm.
Impact
Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious "payload compressor" field.
This vulnerability impacts the extract and files methods of the RPM::File class in the affected versions of this library.
Patches
Version 0.0.12 is available with a fix for these issues.
Workarounds
When using an affected version of this library (arr-pm), ensure any RPMs being processed contain valid/known payload compressor values. Such values include: gzip, bzip2, xz, zstd, and lzma.
You can check the payload compressor field in an rpm by using the rpm command line tool. For example:
Impact on known dependent projects
This library is used by fpm. The vulnerability may impact fpm only when using the flag -s rpm or --input-type rpm to convert a malicious rpm to another format. It does not impact creating rpms.
References
- https://github.com/jordansissel/ruby-arr-pm/pull/14
- https://github.com/jordansissel/ruby-arr-pm/pull/15
Credit
Thanks to @joernchen for reporting this problem and contributing to the resolution :)
For more information
If you have any questions or comments about this advisory:
- Open an issue in the arr-pm issue tracker
Ссылки
- https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q
- https://nvd.nist.gov/vuln/detail/CVE-2022-39224
- https://github.com/jordansissel/ruby-arr-pm/pull/14
- https://github.com/jordansissel/ruby-arr-pm/pull/15
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/arr-pm/CVE-2022-39224.yml
Пакеты
arr-pm
< 0.0.12
0.0.12
Связанные уязвимости
Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.
Уязвимость библиотеки Arr-pm для записи/чтения RPM-пакетов интерпретатора языка программирования Ruby, позволяющая нарушителю выполнить произвольные команды