Hi all,
coreos-installer before 0.10.1 has a flaw allowing bypass of signature
verification when decompressing a downloaded OS image. An attacker who can
modify the downloaded OS image, by compromising either the hosting site or
the HTTP connection, can compromise the installed system. The problem is
fixed in coreos-installer 0.10.1, which will be included in this week's
Fedora CoreOS releases on all streams.
Default Fedora CoreOS installations from ISO or PXE media are *not*
affected, as coreos-installer installs from an OS image shipped as part of
the install media.
These flows are affected:
- Installing with `--image-file`, `--image-url`, or `coreos.inst.image_url`.
- Installing with default parameters when *not* booted from live ISO or
PXE media.
- `coreos-installer download --decompress`.
For more information, including example output and workarounds for affected
versions, see the full advisory [1]. For technical details on the bug and
fix, see the coreos-installer PR [2]. If you have any questions or
comments, please contact us via the Fedora CoreOS development list [3] or in
#fedora-coreos on Libera.Chat.
--Benjamin Gilbert
[1]: https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g7…
[2]: https://github.com/coreos/coreos-installer/pull/655
[3]: https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.or…