Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rpm: prevent directory traversal when extracting #478

Merged
merged 1 commit into from Sep 28, 2021

Conversation

hdonnay
Copy link
Member

@hdonnay hdonnay commented Sep 28, 2021

A malicious tar archive with a member consisting of multiple "parent"
elements could cause a file outside of the target directory to be
overwritten.

Fixes: CVE-2021-3762
Signed-off-by: Hank Donnay hdonnay@redhat.com

A malicious tar archive with a member consisting of multiple "parent"
elements could cause a file outside of the target directory to be
overwritten.

Fixes: CVE-2021-3762
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
@hdonnay hdonnay requested a review from a team as a code owner September 28, 2021 14:43
@hdonnay hdonnay requested review from crozzy and removed request for a team September 28, 2021 14:43
hdonnay added a commit to hdonnay/claircore that referenced this pull request Sep 28, 2021
A malicious tar archive with a member consisting of multiple "parent"
elements could cause a file outside of the target directory to be
overwritten.

Fixes: CVE-2021-3762
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Backports: quay#478
(cherry picked from commit 691f202)
hdonnay added a commit to hdonnay/claircore that referenced this pull request Sep 28, 2021
A malicious tar archive with a member consisting of multiple "parent"
elements could cause a file outside of the target directory to be
overwritten.

Fixes: CVE-2021-3762
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Backports: quay#478
(cherry picked from commit 691f202)
hdonnay added a commit to hdonnay/claircore that referenced this pull request Sep 28, 2021
A malicious tar archive with a member consisting of multiple "parent"
elements could cause a file outside of the target directory to be
overwritten.

Fixes: CVE-2021-3762
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Backports: quay#478
(cherry picked from commit 691f202)
hdonnay added a commit to hdonnay/claircore that referenced this pull request Sep 28, 2021
A malicious tar archive with a member consisting of multiple "parent"
elements could cause a file outside of the target directory to be
overwritten.

Fixes: CVE-2021-3762
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
Backports: quay#478
(cherry picked from commit 691f202)
Copy link
Contributor

@crozzy crozzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hdonnay hdonnay merged commit 691f202 into quay:main Sep 28, 2021
5 checks passed
@hdonnay hdonnay deleted the CVE-2021-3762 branch September 28, 2021 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants