Apko Resource Exhaustion Vulnerability via Uncontrolled APK Decompression

A vulnerability in Apko versions 0.14.8 prior to 1.1.1 allows for resource exhaustion on the build host. This issue arises because the ExpandApk function in the 'pkg/apk/expandapk' package expands APK streams without enforcing decompression limits. An attacker controlling an APK repository can serve a small, highly-compressed APK that inflates into a large tar stream. This unregulated expansion consumes excessive disk space and CPU time, leading to build failures or a denial-of-service condition.

Impact

Exploitation of this vulnerability causes excessive disk space and CPU time consumption, leading to build failures or a denial-of-service condition on the affected host.

Reproduction

To reproduce this vulnerability, upload a maliciously crafted APK file to an APK repository that will be used by Apko. The APK should be highly compressed and designed to expand into a large tar stream. Once the APK is served from the repository, use Apko to build a container image. The uncompressed data will consume significant disk space and processing power, causing the build to fail or the system to become unresponsive.

Remediation

Users can update to Apko version 1.1.1 or later, where this vulnerability has been patched.