RUSTSEC-2022-0103
- Source
- https://rustsec.org/advisories/RUSTSEC-2022-0103
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0103.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/RUSTSEC-2022-0103
- Aliases
- Published
- 2022-03-04T12:00:00Z
- Modified
- 2025-12-21T13:56:13.532985Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Incorrect signature verification on gzip-compressed install images
- Details
-
The coreos-installer is a program to fetch a disk image and stream it to a target disk.
During the installation process the installation image gpg signatures are verified.
The signature verification can be bypassed for gzip-compressed images due to a flaw in gzip coreos-installer wrapper.
When the decoder encounters the gzip trailer, it signals EOF to its output and does not continue reading from its input. As a result, earlier wrappers don't notice that they've reached EOF.
In particular, the GPG wrapper does not check the exit code of GPG.
Thus, if an attacker can substitute an attacker-controlled gzipped disk image, installation will complete successfully without a valid signature.
This vulnerability impacts only specific, User-Provisioned Infrastructure (UPI) installation methods where coreos-installer is used and where gzip-compressed images are configured as the installation source.
The Installer-Provisioned Infrastructure (IPI) bare-metal installs do use coreos-installer, but this installation method uses an install image embedded in the live OS image (ISO or PXE image), therefore is not affected by this vulnerability.
This vulnerability is specific to some upstream Fedora CoreOS installation flows.
- Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / coreos-installer
Package
- Name
- coreos-installer
- View open source insights on deps.dev
- Purl
- pkg:cargo/coreos-installer