Bug 1227014

Summary:	VUL-0: CVE-2024-6257: helmfile: hashicorp/go-getter: Arbitrary command execution through local git config file
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Carlos López <carlos.lopez>
Component:	Incidents	Assignee:	Manfred Hollstein <manfred.h>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/412112/
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1227011

Description Carlos López 2024-06-26 08:52:45 UTC

helmfile embeds hashicorp/go-getter:

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6257
https://www.cve.org/CVERecord?id=CVE-2024-6257
https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
https://bugzilla.redhat.com/show_bug.cgi?id=2294254

Comment 1 Manfred Hollstein 2024-06-26 13:13:51 UTC

Fixed with: https://build.opensuse.org/request/show/1183440

See also: https://github.com/helmfile/helmfile/commit/73731a158a3fdb42a51a1c3c982b1a7eeed6df50

Comment 2 Manfred Hollstein 2024-06-27 15:37:26 UTC

SR https://build.opensuse.org/request/show/1183440 has been accepted, so the next openSUSE:Factory build will contain a fixed version of helmfile.