RUSTSEC-2022-0103
The coreos-installer is a program to fetch a disk image and
stream it to a target disk.
During the installation process the installation image gpg
signatures are verified.
The signature verification can be bypassed for gzip-compressed
images due to a flaw in gzip coreos-installer wrapper.
When the decoder encounters the gzip trailer, it signals EOF
to its output and does not continue reading from its input.
As a result, earlier wrappers don't notice that they've reached
EOF.
In particular, the GPG wrapper does not check the exit code of GPG.
Thus, if an attacker can substitute an attacker-controlled
gzipped disk image, installation will complete successfully
without a valid signature.
This vulnerability impacts only specific, User-Provisioned
Infrastructure (UPI) installation methods where coreos-installer
is used and where gzip-compressed images are configured as
the installation source.
The Installer-Provisioned Infrastructure (IPI) bare-metal
installs do use coreos-installer, but this installation
method uses an install image embedded in the live OS image
(ISO or PXE image), therefore is not affected by this
vulnerability.
This vulnerability is specific to some upstream Fedora
CoreOS installation flows.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://crates.io/crates/coreos-installer, https://rustsec.org/advisories/RUSTSEC-2022-0103.html, https://bugzilla.redhat.com/show_bug.cgi?id=2011862, https://nvd.nist.gov/vuln/detail/CVE-2021-20319
Basic Information
