Описание
apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files
It was discovered that the ld.so.cache in images generated by apko had file system permissions mode 0666:
This issue was introduced in commit 04f37e2 ("generate /etc/ld.so.cache (#1629)")(v0.27.0).
Impact
This potentially allows a local unprivileged user to add additional additional directories including dynamic libraries to the dynamic loader path. A user could exploit this by placing a malicious library in a directory they control.
Patches
This issue was addressed in apko in aedb077 ("fix: /etc/ld.so.cache file permissions (#1758)") (v0.29.5).
Acknowledgements
Many thanks to Cody Harris from H2O.ai for reporting this issue.
Ссылки
- https://github.com/chainguard-dev/apko/security/advisories/GHSA-x6ph-r535-3vjw
- https://nvd.nist.gov/vuln/detail/CVE-2025-53945
- https://github.com/chainguard-dev/apko/commit/04f37e2d50d5a502e155788561fb7d40de705bd9
- https://github.com/chainguard-dev/apko/commit/aedb0772d6bf6e74d8f17690946dbc791d0f6af3
- https://github.com/chainguard-dev/apko/releases/tag/v0.29.5
Пакеты
chainguard.dev/apko
>= 0.27.0, < 0.29.5
0.29.5
Связанные уязвимости
apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issue.