Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 955439 (GHSA-32gq-x56h-299c) - <app-crypt/age-1.2.1: Arbitrary Binary Execution
Summary: <app-crypt/age-1.2.1: Arbitrary Binary Execution
Status: CONFIRMED
Alias: GHSA-32gq-x56h-299c
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/advisories/GHSA-32...
Whiteboard: B2 [glsa? cleanup]
Keywords:
Depends on: 955504
Blocks:
  Show dependency tree
 
Reported: 2025-05-05 06:30 UTC by Hans de Graaff
Modified: 2025-05-07 06:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2025-05-05 06:30:18 UTC 
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.

Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs.

On UNIX systems, a directory matching ${TMPDIR:-/tmp}/age-plugin-* needs to exist for the attack to succeed.

The binary is executed with a single flag, either --age-plugin=recipient-v1 or --age-plugin=identity-v1. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the age-plugin protocol.