[Bug 1208089] New: VUL-0: CVE-2023-25165: helmfile: helm: getHostByName Function Information Disclosure
https://bugzilla.suse.com/show_bug.cgi?id=1208089 Bug ID: 1208089 Summary: VUL-0: CVE-2023-25165: helmfile: helm: getHostByName Function Information Disclosure Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://smash.suse.de/issue/356535/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: manfred.h@gmx.net Reporter: thomas.leroy@suse.com QA Contact: security-team@suse.de Blocks: 1208083 Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1208083 +++ CVE-2023-25165 Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-25165 https://bugzilla.redhat.com/show_bug.cgi?id=2168458 https://www.cve.org/CVERecord?id=CVE-2023-25165 https://github.com/helm/helm/commit/5abcf74227bfe8e5a3dbf105fe62e7b12deb58d2 https://github.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c1 --- Comment #1 from Manfred Hollstein <manfred.h@gmx.net> --- FWIW, I have added a "Require: helm >= 3.11.1" to helmfile.spec. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 Manfred Hollstein <manfred.h@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |manfred.h@gmx.net -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c2 John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |adrian.glaubitz@suse.com --- Comment #2 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- helmfile has not been fixed upstream yet. I have therefore created an issue for that in the upstream bug tracker:
The bug will hopefully fixed upstream within the next hours with upstream updating the bundled helm version to 3.11.1 and creating a new upstream release. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c4 --- Comment #4 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- (In reply to Manfred Hollstein from comment #3)
(In reply to John Paul Adrian Glaubitz from comment #2)
helmfile has not been fixed upstream yet.
I have therefore created an issue for that in the upstream bug tracker:
The bug will hopefully fixed upstream within the next hours with upstream updating the bundled helm version to 3.11.1 and creating a new upstream release.
You should add this to
https://github.com/helmfile/helmfile
which is where helmfile's home is now. The old one will not see any updates anymore.
Thanks, I will create a bug report there as well.
What do you mean with "the bundled helm version"? helmfile does not include its own helm, but rather requires its existance. I expect the helm version in OBS to be fixed by its maintainer.
It actually does. Look at the vendor.tar.gz: glaubitz@suse-laptop:~/suse/devel:kubic/helmfile> tar tf vendor.tar.gz |grep helm|head -n10 vendor/helm.sh/ vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go vendor/helm.sh/helm/ vendor/helm.sh/helm/v3/ vendor/helm.sh/helm/v3/internal/ vendor/helm.sh/helm/v3/LICENSE vendor/helm.sh/helm/v3/pkg/ vendor/helm.sh/helm/v3/pkg/chart/ vendor/helm.sh/helm/v3/pkg/cli/ vendor/helm.sh/helm/v3/pkg/getter/ glaubitz@suse-laptop:~/suse/devel:kubic/helmfile> -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c5 --- Comment #5 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- helmfile has updated their shipped helm version to 3.11.1:
But they haven't tagged a new release yet. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c6 --- Comment #6 from Manfred Hollstein <manfred.h@gmx.net> --- From https://github.com/helmfile/helmfile/blob/main/README.md: ``` To avoid upgrades for each iteration of helm, the helmfile executable delegates to helm - as a result, helm must be installed. ��� And helmfile-0.150.0-107.1.x86_64.rpm does not contain any helm executable at all: $ rpm -qp helmfile-0.150.0-107.1.x86_64.rpm -l /usr/bin/helmfile /usr/share/doc/packages/helmfile /usr/share/doc/packages/helmfile/README.md /usr/share/licenses/helmfile /usr/share/licenses/helmfile/LICENSE Our https://build.opensuse.org/package/show/Virtualization:containers/helm is already at version 3.11.1, so with helmfile requiring helm >= 3.11.1 we are on the safe side already, aren't we? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c7 --- Comment #7 from John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> --- (In reply to Manfred Hollstein from comment #6)
Our https://build.opensuse.org/package/show/Virtualization:containers/helm is already at version 3.11.1, so with helmfile requiring helm >= 3.11.1 we are on the safe side already, aren't we?
I do not know the helmfile source code well enough to be able to rule out they use any of the vulnerable code. There is a reason, they're shipping an embedded source code copy of helm, isn't there? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208089 https://bugzilla.suse.com/show_bug.cgi?id=1208089#c8 --- Comment #8 from Manfred Hollstein <manfred.h@gmx.net> --- (In reply to John Paul Adrian Glaubitz from comment #7)
I do not know the helmfile source code well enough to be able to rule out they use any of the vulnerable code. There is a reason, they're shipping an embedded source code copy of helm, isn't there?
I do not know either, I'm just packaging it. What I do know, though, is that helmfile complains that it doesn't find a working helm program if it is not installed as a separate binary. In my last job we where using helm and helmfile to deploy and maintain a large set of applications in our cloud. Anyway, they have released version 0.151.0 over the weekend which has this: Support helm 3.11.1 (#695) Looking at that commit (https://github.com/helmfile/helmfile/pull/695/commits/9449164921819b1a32c5c9...) does not show any helm code, just references to the new version. I have submitted the updated package to Factory now: https://build.opensuse.org/request/show/1066782 Please take a look and close this issue if you think this is appropriate. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com