Bug 1225724 (CVE-2024-37032)

Summary: VUL-0: CVE-2024-37032: ollama: digest format not validated when getting the model path
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: camila.matos, eyadlorenzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408296/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-31 10:34:30 UTC 
Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37032
https://www.cve.org/CVERecord?id=CVE-2024-37032
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58
https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34
https://github.com/ollama/ollama/pull/4175
Comment 1 Camila Camargo de Matos 2024-05-31 10:37:25 UTC 
openSUSE:Factory, which is the only codestream that contains package ollama, is not affected by this issue, as ollama is already at version 0.1.38.