719300 – (CVE-2020-11013, CVE-2020-4053) app-admin/helm: Multiple vulnerabilities (CVE-2020-{4053,11013})

Bug 719300 (CVE-2020-11013, CVE-2020-4053) - app-admin/helm: Multiple vulnerabilities (CVE-2020-{4053,11013})

Summary: app-admin/helm: Multiple vulnerabilities (CVE-2020-{4053,11013})

Status:	RESOLVED FIXED

Alias:	CVE-2020-11013, CVE-2020-4053

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/helm/helm/security...
Whiteboard:	~4 [cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-04-24 21:18 UTC by Sam James
Modified:	2020-06-18 03:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-24 21:18:00 UTC

Description:
"A malicious chart author could inject a lookup into a chart that, when rendered through helm template, performs unannounced lookups against the cluster a user's KUBECONFIG file points to. This information can then be disclosed via the output of helm template."

Comment 1 Sam James archtester

2020-04-24 21:19:11 UTC

Please note that Helm 2 is NOT affected, only Helm between version 3.1.0 and before version 3.2.0.

@maintainer(s), please create an ebuild for the new 3.2.0 release. Stable version is not affected.

Comment 2 Sam James archtester

2020-05-23 17:34:09 UTC

Ping :)

Comment 3 Sam James archtester

2020-06-16 23:13:17 UTC

* CVE-2020-4053

Description:
"n Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4."

URL: https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f

Comment 4 Larry the Git Cow gentoo-dev

2020-06-18 02:36:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e709a85f98493abe9b2bcddbcf28b27954f5da30

commit e709a85f98493abe9b2bcddbcf28b27954f5da30
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-06-18 02:34:05 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-06-18 02:34:05 +0000

    app-admin/helm: 3.2.4 bump
    
    Bug: https://bugs.gentoo.org/719300
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          |   1 +
 app-admin/helm/helm-3.2.4.ebuild | 835 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 836 insertions(+)

Comment 5 Larry the Git Cow gentoo-dev

2020-06-18 03:08:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71b82897731c0cf483ac7a2d9e4225068adff448

commit 71b82897731c0cf483ac7a2d9e4225068adff448
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-06-18 03:05:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-06-18 03:08:02 +0000

    app-admin/helm: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/719300
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          | 306 --------------
 app-admin/helm/helm-3.0.3.ebuild | 738 ----------------------------------
 app-admin/helm/helm-3.1.2.ebuild | 737 ----------------------------------
 app-admin/helm/helm-3.1.3.ebuild | 737 ----------------------------------
 app-admin/helm/helm-3.2.0.ebuild | 835 ---------------------------------------
 5 files changed, 3353 deletions(-)

Comment 6 Sam James archtester

2020-06-18 03:09:26 UTC

Cleanup done in 71b82897731c0cf483ac7a2d9e4225068adff448. Thanks!