rustsec-2022-0103
Vulnerability from osv_rustsec
Published
2022-03-04 12:00
Modified
2025-12-21 13:45
Summary
Incorrect signature verification on gzip-compressed install images
Details

The coreos-installer is a program to fetch a disk image and stream it to a target disk.

During the installation process the installation image gpg signatures are verified.

The signature verification can be bypassed for gzip-compressed images due to a flaw in gzip coreos-installer wrapper.

When the decoder encounters the gzip trailer, it signals EOF to its output and does not continue reading from its input. As a result, earlier wrappers don't notice that they've reached EOF.

In particular, the GPG wrapper does not check the exit code of GPG.

Thus, if an attacker can substitute an attacker-controlled gzipped disk image, installation will complete successfully without a valid signature.

This vulnerability impacts only specific, User-Provisioned Infrastructure (UPI) installation methods where coreos-installer is used and where gzip-compressed images are configured as the installation source.

The Installer-Provisioned Infrastructure (IPI) bare-metal installs do use coreos-installer, but this installation method uses an install image embedded in the live OS image (ISO or PXE image), therefore is not affected by this vulnerability.

This vulnerability is specific to some upstream Fedora CoreOS installation flows.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "privilege-escalation"
        ],
        "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "coreos-installer",
        "purl": "pkg:cargo/coreos-installer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2021-20319",
    "GHSA-3r3g-g73x-g593"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "The coreos-installer is a program to fetch a disk image and\nstream it to a target disk.\n\nDuring the installation process the installation image gpg\nsignatures are verified.\n\nThe signature verification can be bypassed for gzip-compressed\nimages due to a flaw in gzip coreos-installer wrapper.\n\nWhen the decoder encounters the gzip trailer, it signals EOF\nto its output and does not continue reading from its input.\nAs a result, earlier wrappers don\u0027t notice that they\u0027ve reached\nEOF.\n\nIn particular, the GPG wrapper does not check the exit code of GPG.\n\nThus, if an attacker can substitute an attacker-controlled\ngzipped disk image, installation will complete successfully\nwithout a valid signature.\n\nThis vulnerability impacts only specific, User-Provisioned\nInfrastructure (UPI) installation methods where coreos-installer\nis used and where gzip-compressed images are configured as\nthe installation source.\n\nThe Installer-Provisioned Infrastructure (IPI) bare-metal\ninstalls do use coreos-installer, but this installation\nmethod uses an install image embedded in the live OS image\n(ISO or PXE image), therefore is not affected by this\nvulnerability.\n\nThis vulnerability is specific to some upstream Fedora\nCoreOS installation flows.",
  "id": "RUSTSEC-2022-0103",
  "modified": "2025-12-21T13:45:28Z",
  "published": "2022-03-04T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/coreos-installer"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0103.html"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20319"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect signature verification on gzip-compressed install images"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.