{"id":"RUSTSEC-2022-0103","summary":"Incorrect signature verification on gzip-compressed install images","details":"The coreos-installer is a program to fetch a disk image and\nstream it to a target disk.\n\nDuring the installation process the installation image gpg\nsignatures are verified.\n\nThe signature verification can be bypassed for gzip-compressed\nimages due to a flaw in gzip coreos-installer wrapper.\n\nWhen the decoder encounters the gzip trailer, it signals EOF\nto its output and does not continue reading from its input.\nAs a result, earlier wrappers don't notice that they've reached\nEOF.\n\nIn particular, the GPG wrapper does not check the exit code of GPG.\n\nThus, if an attacker can substitute an attacker-controlled\ngzipped disk image, installation will complete successfully\nwithout a valid signature.\n\nThis vulnerability impacts only specific, User-Provisioned\nInfrastructure (UPI) installation methods where coreos-installer\nis used and where gzip-compressed images are configured as\nthe installation source.\n\nThe Installer-Provisioned Infrastructure (IPI) bare-metal\ninstalls do use coreos-installer, but this installation\nmethod uses an install image embedded in the live OS image\n(ISO or PXE image), therefore is not affected by this\nvulnerability.\n\nThis vulnerability is specific to some upstream Fedora\nCoreOS installation flows.","aliases":["CVE-2021-20319","GHSA-3r3g-g73x-g593"],"modified":"2025-12-21T14:11:01.036603Z","published":"2022-03-04T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/coreos-installer"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0103.html"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2011862"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20319"}],"affected":[{"package":{"name":"coreos-installer","ecosystem":"crates.io","purl":"pkg:cargo/coreos-installer"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.10.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"informational":null,"categories":["privilege-escalation"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0103.json","cvss":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}