osec-2023-01
Vulnerability from osv_ocaml
Published
2023-05-25 12:00
Modified
2026-01-09 12:00
Summary
Time of check time of use issue in opam's cache
Details
Bug description
Opam uses since version 2.0.0 a download cache: if a source artifact is needed, first its hash is looked up in the local cache (~/.opam/download-cache//). Opam supports multiple hash algorithms, a cache lookup tries all hash algorithms present in the opam file. Before opam 2.1.5, the hash of a cache entry as encoded in its file name was trusted and not checked against its content.
If a package specifies only a single (non-weak) hash algorithm, this lead to the source artifact taken as is, any error while writing the artifact into the cache, or reading it from the cache, was not detected. Also, in certain setups, if the download cache is shared (writable) across containers (for example in some CI systems), this leads to the possibility of cache poisoning.
Thanks to Raja and Kate, the issue was fixed in PR 5538
Timeline
The timeline of this issue is as follows:
- Feb 23rd 2023 conducted black-box security audit of opam
- Feb 24th 2023 reported to the opam team
- Feb 27th 2023 video meeting with the opam team, explaining the issue further
- Mar 27th 2023 initial review meeting of the patches developed by the opam team
- May 9th 2023 public PR fixing the issue discovered
- May 25th 2023 release of opam 2.1.5
Credits
Reynir Björnsson
Hannes Mehnert
Kate
Raja Boujbel
{
"affected": [
{
"ecosystem_specific": {
"opam_constraint": "opam-repository {\u003e= \"2\" \u0026 \u003c \"2.1.5\"}"
},
"package": {
"ecosystem": "opam",
"name": "opam-repository",
"purl": "pkg:opam/opam-repository"
},
"ranges": [
{
"events": [
{
"introduced": "2"
},
{
"fixed": "2.1.5"
}
],
"type": "ECOSYSTEM"
},
{
"events": [
{
"fixed": "7a538fd0bf3b3956d84bb25d0f6b1126fa177595"
},
{
"introduced": "cfa4e77b49d0bccaf5c91b2e6f36089aab5e0540"
}
],
"repo": "https://github.com/ocaml/opam",
"type": "GIT"
}
],
"versions": [
"2.0.0",
"2.0.0~beta",
"2.0.0~beta3",
"2.0.0~beta3.1",
"2.0.0~beta5",
"2.0.0~rc",
"2.0.0~rc2",
"2.0.0~rc3",
"2.0.1",
"2.0.10",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.0.8",
"2.0.9",
"2.0~alpha5",
"2.1.0",
"2.1.0~beta2",
"2.1.0~beta4",
"2.1.0~rc",
"2.1.0~rc2",
"2.1.1",
"2.1.2",
"2.1.3",
"2.1.4"
]
}
],
"credits": [
{
"name": "Reynir Bj\u00f6rnsson",
"type": "REPORTER"
},
{
"name": "Hannes Mehnert",
"type": "REPORTER"
},
{
"name": "Kate",
"type": "REMEDIATION_DEVELOPER"
},
{
"name": "Raja Boujbel",
"type": "REMEDIATION_REVIEWER"
}
],
"database_specific": {
"cwe": [
"CWE-354"
],
"human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2023/OSEC-2023-01.md",
"osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2023/OSEC-2023-01.json"
},
"details": "## Bug description\n\nOpam uses since version 2.0.0 a download cache: if a source artifact is needed, first its hash is looked up in the local cache (~/.opam/download-cache/\u003chash-algorihm\u003e/\u003chash\u003e). Opam supports multiple hash algorithms, a cache lookup tries all hash algorithms present in the opam file. Before opam 2.1.5, the hash of a cache entry as encoded in its file name was trusted and not checked against its content.\n\nIf a package specifies only a single (non-weak) hash algorithm, this lead to the source artifact taken as is, any error while writing the artifact into the cache, or reading it from the cache, was not detected. Also, in certain setups, if the download cache is shared (writable) across containers (for example in some CI systems), this leads to the possibility of cache poisoning.\n\nThanks to Raja and Kate, the issue was fixed in [PR 5538](https://github.com/ocaml/opam/pull/5538)\n\n## Timeline\n\nThe timeline of this issue is as follows:\n\n- Feb 23rd 2023 conducted black-box security audit of opam\n- Feb 24th 2023 reported to the opam team\n- Feb 27th 2023 video meeting with the opam team, explaining the issue further\n- Mar 27th 2023 initial review meeting of the patches developed by the opam team\n- May 9th 2023 public PR fixing the issue discovered\n- May 25th 2023 release of opam 2.1.5",
"id": "OSEC-2023-01",
"modified": "2026-01-09T12:00:00Z",
"published": "2023-05-25T12:00:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/ocaml/opam/pull/5538"
},
{
"type": "ARTICLE",
"url": "https://opam.ocaml.org/blog/opam-2-1-5-local-cache/"
}
],
"schema_version": "1.7.4",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Time of check time of use issue in opam\u0027s cache"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…