Please sign in to comment.
Merge pull request from GHSA-m9g4-7496-9p6f
Kubectl plugins distributed on Krew have to be packaged as tar or zip archive files. A bug in krew’s handling of archive files allowed a hand-crafted tar/zip archive with file entries that contain relative or absolute paths in the filenames allowed the file to be written outside the desired extraction directory, hence giving the bad actor to write files to the rest of the user’s filesystem upon installing a plugin. All Krew versions before v0.3.2 are known to be affected. This is a low-severity vulnerability since: - Plugins widely distributed with Krew are hosted in krew-index repository, which is controlled and approved by Krew maintainers. - Manual validation of the plugin archive files in krew-index reveal no exploitation of this bug. - Krew validates archive files downloaded with their checksum listed in plugin manifest file, which doesn't allow plugin authors to silently change the underlying archive files without going through a manifest update in the krew-index repository. Krew will now refuse to unpack an archive if one of the following conditions applies to any archive file name: - it starts with '/' - it starts with '\' - it contains '..'
- Loading branch information...
Showing with 202 additions and 0 deletions.