Discovered and reported by Cornelius Weig, reporting on his behalf.
Impact
Kubectl plugins distributed on Krew have to be packaged as tar or zip archive files.
A bug in krew’s handling of archive files allowed a hand-crafted tar/zip archive with file entries that contain relative or absolute paths in the filenames allowed the file to be written outside the desired extraction directory, hence giving the bad actor to write files to the rest of the user’s filesystem upon installing a plugin.
All Krew versions until v0.3.2 are known to be affected.
This is a low-severity vulnerability since:
- Plugins widely distributed with Krew are hosted in krew-index repository, which is controlled and approved by Krew maintainers.
- Manual validation of the plugin archive files in krew-index reveal no exploitation of this bug.
- Krew validates archive files downloaded with their checksum listed in plugin manifest file, which doesn't allow plugin authors to silently change the underlying archive files without going through a manifest update in the krew-index repository.
Patches
Please upgrade to v0.3.2 by running kubectl krew upgrade to download the latest release of Krew, and run kubectl krew version to verify the patch.
Contact
If you would like to report a security vulnerability to Krew, please follow the Kubernetes Security Disclosure program at https://kubernetes.io/docs/reference/issues-security/security/.
If you have any questions or comments about this advisory, please open a new issue in https://github.com/kubernetes-sigs/krew repository.
Acknowledgements
Thanks to Cornelius Weig for reporting this issue and providing the fix.
Thanks to Tim Allclair for helping with the security release process.
corneliusweig Analyst
Discovered and reported by Cornelius Weig, reporting on his behalf.
Impact
Kubectl plugins distributed on Krew have to be packaged as tar or zip archive files.
A bug in krew’s handling of archive files allowed a hand-crafted tar/zip archive with file entries that contain relative or absolute paths in the filenames allowed the file to be written outside the desired extraction directory, hence giving the bad actor to write files to the rest of the user’s filesystem upon installing a plugin.
All Krew versions until v0.3.2 are known to be affected.
This is a low-severity vulnerability since:
Patches
Please upgrade to v0.3.2 by running
kubectl krew upgradeto download the latest release of Krew, and runkubectl krew versionto verify the patch.Contact
If you would like to report a security vulnerability to Krew, please follow the Kubernetes Security Disclosure program at https://kubernetes.io/docs/reference/issues-security/security/.
If you have any questions or comments about this advisory, please open a new issue in https://github.com/kubernetes-sigs/krew repository.
Acknowledgements
Thanks to Cornelius Weig for reporting this issue and providing the fix.
Thanks to Tim Allclair for helping with the security release process.