Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN036

_____________________________________________________________________

DATE                : 22/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running HashiCorp’s go-slug library
                        versions prior to HashiCorp’s 0.16.3.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack/72719
_____________________________________________________________________

HCSEC-2025-01 - HashiCorp go-slug Vulnerable to Zip Slip Attack
Security
dduzgun-security January 21, 2025, 3:24pm 1

Bulletin ID: HCSEC-2025-01
Affected Products / Versions: go-slug up to 0.16.2; fixed in go-slug
0.16.3.
Publication Date: January 21, 2025


Summary

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack
when a non-existing user-provided path is extracted from the tar entry.
This vulnerability, identified as CVE-2025-0377, is fixed in go-slug
0.16.3.


Background
HashiCorp’s go-slug shared library offers functions for packing and
unpacking Terraform Enterprise compatible slugs. Slugs are gzip
compressed tar files containing Terraform configuration files.


Details
When go-slug performs an extraction, the filename/extraction path is
taken from the tar entry via the header.Name. It was discovered that
the unpacking step improperly validated paths, potentially leading to
path traversal, allowing an attacker to write an arbitrary file during
extraction.


Remediation
Consumers of the go-slug shared library should evaluate the risk
associated with this issue in the context of their go-slug usage and
upgrade go-slug to 0.16.3 or later.

The latest go-slug releases can be found at Releases ·
hashicorp/go-slug · GitHub.


Acknowledgement
This issue was identified by HashiCorp‘s Product Security team.

We deeply appreciate any effort to coordinate disclosure of security
vulnerabilities. For information about security at HashiCorp and the
reporting of security vulnerabilities, please see
https://hashicorp.com/security.
	
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================