1225724 – (CVE-2024-37032) VUL-0: CVE-2024-37032: ollama: digest format not validated when getting the model path

Bug 1225724 (CVE-2024-37032) - VUL-0: CVE-2024-37032: ollama: digest format not validated when getting the model path

Summary: VUL-0: CVE-2024-37032: ollama: digest format not validated when getting the m...

Status:	RESOLVED INVALID

Alias:	CVE-2024-37032

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/408296/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-05-31 10:34 UTC by SMASH SMASH
Modified:	2024-05-31 10:38 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-05-31 10:34:30 UTC

Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37032
https://www.cve.org/CVERecord?id=CVE-2024-37032
https://github.com/ollama/ollama/blob/adeb40eaf29039b8964425f69a9315f9f1694ba8/server/modelpath_test.go#L41-L58
https://github.com/ollama/ollama/compare/v0.1.33...v0.1.34
https://github.com/ollama/ollama/pull/4175

Comment 1 Camila Camargo de Matos 2024-05-31 10:37:25 UTC

openSUSE:Factory, which is the only codestream that contains package ollama, is not affected by this issue, as ollama is already at version 0.1.38.