Apko OCI Image Builder File Permission Vulnerability Allowing Potential Root Escalation
Vulnerability
A vulnerability in Apko, a tool for building and publishing OCI container images from APK packages, has been identified. In versions 0.27.0 prior to 0.29.5, the application inadvertently set critical file permissions to 0666. This flaw could be exploited to escalate privileges to root. The issue was introduced in version 0.27.0 and affects the ld.so.cache file, which is crucial for the dynamic linker to locate shared libraries. The improper permissions could allow a local unprivileged user to manipulate the dynamic loader path and potentially execute malicious libraries.
Impact
The vulnerability could be exploited by a local unprivileged user to add directories containing malicious dynamic libraries to the dynamic loader path, potentially leading to privilege escalation.
Remediation
Users can upgrade to Apko version 0.29.5, which addresses the permission issue by setting the ld.so.cache file to the correct mode of 0644. The updated version is available on the GitHub Releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.