An attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service.
Fix: Fixed in 2be3903. Released
Acknowledgements
Thank you to Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.
An attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service.
Fix: Fixed in 2be3903. Released
Acknowledgements
Thank you to Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.