OSEC-2023-01

Bug description

Opam uses since version 2.0.0 a download cache: if a source artifact is needed, first its hash is looked up in the local cache (~/.opam/download-cache/<hash-algorihm>/<hash>). Opam supports multiple hash algorithms, a cache lookup tries all hash algorithms present in the opam file. Before opam 2.1.5, the hash of a cache entry as encoded in its file name was trusted and not checked against its content.

If a package specifies only a single (non-weak) hash algorithm, this lead to the source artifact taken as is, any error while writing the artifact into the cache, or reading it from the cache, was not detected. Also, in certain setups, if the download cache is shared (writable) across containers (for example in some CI systems), this leads to the possibility of cache poisoning.

Thanks to Raja and Kate, the issue was fixed in PR 5538

Timeline

The timeline of this issue is as follows:

• Feb 23rd 2023 conducted black-box security audit of opam
• Feb 24th 2023 reported to the opam team
• Feb 27th 2023 video meeting with the opam team, explaining the issue further
• Mar 27th 2023 initial review meeting of the patches developed by the opam team
• May 9th 2023 public PR fixing the issue discovered
• May 25th 2023 release of opam 2.1.5