GHSA-9423-6C93-GPP8 github.com/sassoftware/go-rpmutils Arbitrary File Write via Archive Extraction (Zip Slip)

The CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading .. which leads in file extraction outside of the current directory. Note, the fixing commit was applied to all affected versions which were re-released...

SAS Institute go-rpmutils Input Validation Error Vulnerability

SAS Institute go-rpmutils is a library for parsing and extracting content from RPMs from SAS Institute, Inc. written in the Go language. An input validation error vulnerability exists in SAS Institute go-rpmutils versions prior to 0.1.0, which stems from the CPIO extraction function not properly...

Arbitrary File Write

github.com/sassoftware/go-rpmutils is vulnerable to arbitrary file write. The vulnerability exists as the extract function in cpio/extracttest.go does not restrict the filepath path to the dest, allowing extraction outside the permitted cpio path...

CVE-2020-7667

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all...

Design/Logic Flaw

In package github.com/sassoftware/go-rpmutils/cpio before version 0.1.0, the CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading ".." which leads in file extraction outside of the current directory. Note: the fixing commit was applied to all...

CVE-2020-7667

In CVE-2020-7667, the go-rpmutils/cpio component allowed directory traversal via CPIO extraction due to improper sanitization of leading/non-leading “..” in archived paths. The fixing commit was applied to all affected versions and those releases were re-released; remediation is to update to a ve...

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview github.com/sassoftware/go-rpmutils/cpio is a package for parsing and extracting content from RPM files. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip. The CPIO extraction functionality doesn't sanitize the paths of the archived...