Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39224: Only attempt extraction if a known payload compressor is used. by jordansissel · Pull Request #15 · jordansissel/ruby-arr-pm

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious “payload compressor” field. This vulnerability impacts the extract and files methods of the RPM::File class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

CVE
Open in Source
#vulnerability#ruby#rpm
% bundle exec rspec spec/rpm/file_spec.rb -e compressor -f d
Run options: include {:full_description=>/compressor/}

RPM::File
  #extract
    with an invalid payloadcompressor
      should raise an error
    with a 'gzip' payloadcompressor
      should succeed
    with a 'bzip2' payloadcompressor
bzip2: (stdin) is not a bzip2 file.
cpio: premature end of archive
      should succeed
    with a 'xz' payloadcompressor
xz: (stdin): File format not recognized
cpio: premature end of archive
      should succeed
    with a 'lzma' payloadcompressor
lzma: (stdin): File format not recognized
cpio: premature end of archive
      should succeed
    with a 'zstd' payloadcompressor
      should succeed

Finished in 0.01085 seconds (files took 0.06391 seconds to load)
6 examples, 0 failures

Related news

GHSA-88cv-mj24-8w3q: arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm.

### Impact Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class in the affected versions of this library. ### Patches Version 0.0.12 is available with a fix for these issues. ### Workarounds When using an affected version of this library (arr-pm), ensure any RPMs being processed contain valid/known payload compressor values. Such values include: gzip, bzip2, xz, zstd, and lzma. You can check the payload compressor field in an rpm by using the rpm command line tool. For example: ``` % rpm -qp example-1.0-1.x86_64.rpm --qf "%{PAYLOADCOMPRESSOR}\n" gzip ``` ### Impact on known dependent projects This library is used by [fpm](https://github.com/jordansissel/fpm). The vulnerability may impact fpm only when using the flag `-s rpm` or `--input-type rpm` to convert a malicious rpm to another format. It does...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE