SNYK-GOLANG-GITHUBCOMOLLAMAOLLAMASERVER-7707878
## Overview Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the `parseFromZipFile` function, which will copy the file in zip to a temporary directory without verifying the file path, and the file can be written to an arbitrary path. ## Details It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a "../../file.exe" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily. The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicous file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file: ``` +2018-04-15 22:04:29 ..... 19 19 good.txt +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys ``` ## Remediation Upgrade `github.com/ollama/ollama/server` to version 0.1.47 or higher. ## References - [GitHub Commit](https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527) - [GitHub PR](https://github.com/ollama/ollama/pull/5314) - [PoC](https://gist.github.com/trganda/2affa7162a03a30a79c3f11ef09436ad) - [Vulnerable Code](https://github.com/ollama/ollama/blob/v0.1.46/server/model.go#L80C6-L80C22)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Jul 1, 2024 CVE Updated
- Aug 29, 2024 CVE Published
References
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMOLLAMAOLLAMASERVER-7707878 advisory
- https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527 patch
- https://github.com/ollama/ollama/pull/5314 patch
- https://gist.github.com/trganda/2affa7162a03a30a79c3f11ef09436ad technical
- https://github.com/ollama/ollama/blob/v0.1.46/server/model.go#L80C6-L80C22 technical