Discovered and reported by Cornelius Weig, reporting on his behalf.
Kubectl plugins distributed on Krew have to be packaged as tar or zip archive files.
A bug in krew’s handling of archive files allowed a hand-crafted tar/zip archive with file entries that contain relative or absolute paths in the filenames allowed the file to be written outside the desired extraction directory, hence giving the bad actor to write files to the rest of the user’s filesystem upon installing a plugin.
All Krew versions until v0.3.2 are known to be affected.
This is a low-severity vulnerability since:
Please upgrade to v0.3.2 by running kubectl krew upgrade to download the latest release of Krew, and run kubectl krew version to verify the patch.
kubectl krew upgrade
kubectl krew version
If you would like to report a security vulnerability to Krew, please follow the Kubernetes Security Disclosure program at https://kubernetes.io/docs/reference/issues-security/security/.
If you have any questions or comments about this advisory, please open a new issue in https://github.com/kubernetes-sigs/krew repository.
Thanks to Cornelius Weig for reporting this issue and providing the fix.
Thanks to Tim Allclair for helping with the security release process.