Out-of-bounds Read

Summary

Ollama contains a Heap-Based Buffer Over-Read vulnerability in the GGUF model loader. Versions through 0.17.0 allow an attacker to supply a crafted GGUF file to the "/api/create" endpoint in which the declared tensor offset and size exceed the file length. During quantization in "fs/ggml/gguf.go" and "server/quantization.go" within the function "WriteTo()", the application reads beyond the allocated heap buffer. This may lead to Information Disclosure, exposing memory contents such as environment variables, API keys, system prompts, and other users' conversation data. The leaked data may be exfiltrated by uploading the resulting model artifact via the "/api/push" endpoint to an attacker-controlled registry. The "/api/create" and "/api/push" endpoints do not require authentication in the upstream distribution. While default deployments bind to "127.0.0.1", configurations such as "OLLAMA_HOST=0.0.0.0" are commonly used, increasing exposure risk. This issue is fixed in version 0.17.1.