Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719300 (CVE-2020-11013, CVE-2020-4053) - app-admin/helm: Multiple vulnerabilities (CVE-2020-{4053,11013})
Summary: app-admin/helm: Multiple vulnerabilities (CVE-2020-{4053,11013})
Status: RESOLVED FIXED
Alias: CVE-2020-11013, CVE-2020-4053
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/helm/helm/security...
Whiteboard: ~4 [cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-24 21:18 UTC by Sam James
Modified: 2020-06-18 03:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-24 21:18:00 UTC
Description:
"A malicious chart author could inject a lookup into a chart that, when rendered through helm template, performs unannounced lookups against the cluster a user's KUBECONFIG file points to. This information can then be disclosed via the output of helm template."
Comment 1 Sam James archtester gentoo-dev Security 2020-04-24 21:19:11 UTC
Please note that Helm 2 is NOT affected, only Helm between version 3.1.0 and before version 3.2.0.

@maintainer(s), please create an ebuild for the new 3.2.0 release. Stable version is not affected.
Comment 2 Sam James archtester gentoo-dev Security 2020-05-23 17:34:09 UTC
Ping :)
Comment 3 Sam James archtester gentoo-dev Security 2020-06-16 23:13:17 UTC
* CVE-2020-4053

Description:
"n Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4."

URL: https://github.com/helm/helm/security/advisories/GHSA-qq3j-xp49-j73f
Comment 4 Larry the Git Cow gentoo-dev 2020-06-18 02:36:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e709a85f98493abe9b2bcddbcf28b27954f5da30

commit e709a85f98493abe9b2bcddbcf28b27954f5da30
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-06-18 02:34:05 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-06-18 02:34:05 +0000

    app-admin/helm: 3.2.4 bump
    
    Bug: https://bugs.gentoo.org/719300
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          |   1 +
 app-admin/helm/helm-3.2.4.ebuild | 835 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 836 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2020-06-18 03:08:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71b82897731c0cf483ac7a2d9e4225068adff448

commit 71b82897731c0cf483ac7a2d9e4225068adff448
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2020-06-18 03:05:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2020-06-18 03:08:02 +0000

    app-admin/helm: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/719300
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          | 306 --------------
 app-admin/helm/helm-3.0.3.ebuild | 738 ----------------------------------
 app-admin/helm/helm-3.1.2.ebuild | 737 ----------------------------------
 app-admin/helm/helm-3.1.3.ebuild | 737 ----------------------------------
 app-admin/helm/helm-3.2.0.ebuild | 835 ---------------------------------------
 5 files changed, 3353 deletions(-)
Comment 6 Sam James archtester gentoo-dev Security 2020-06-18 03:09:26 UTC
Cleanup done in 71b82897731c0cf483ac7a2d9e4225068adff448. Thanks!