Syft Temporary File Management Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Syft, a CLI tool and Go library for generating Software Bill of Materials (SBOM) from container images and filesystems. This issue affects Syft versions prior to v1.42.3. The vulnerability arises because Syft does not properly clean up temporary storage if it becomes full during a scan. When scanning archives, Syft unpacks the contents into temporary storage for inspection. Normally, Syft removes this temporary data after a scan is completed. However, if the temporary storage is exhausted, Syft raises an error and exits without deleting the temporary files, leading to a buildup of unused files. This issue can be easily reproduced by scanning large or highly compressed files, such as a 'zipbomb'. The improper cleanup of temporary files can fill up the temporary storage, hindering future operations of Syft or other system utilities that depend on available temporary space.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where temporary storage is filled up, causing future runs of Syft or other system utilities that rely on temporary storage to fail.

Reproduction

To reproduce this vulnerability, scan very large artifacts or highly compressed files with Syft. The temporary storage will fill up, causing Syft to raise an error and exit without cleaning up the temporary files, which can lead to a denial-of-service condition.

Remediation

Users can manually remove the temporary files to free up space. The vulnerability has been patched in Syft version 1.42.3, which includes improvements to ensure temporary files are cleaned up when an error occurs.