15 matches found
GHSA-3PV8-6F4R-FFG2 tar has a PAX header desynchronization issue
Summary When a tar stream contains multiple "header" entries prior to a file entry, tar-rs applies the PAX header x to the next entry in the stream, regardless of type. For example, a stream of x - L - file PAX, GNU longname, file would result in x's extensions being applied to L rather than to...
CVE-2026-24843
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries...
CVE-2026-24843 melange QEMU runner could write files outside workspace directory
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries...
EUVD-2026-5373
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries...
melange QEMU runner could write files outside workspace directory
An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via ../ sequences. Fix:...
EUVD-2025-31022
Malicious code in bioql PyPI...
CVE-2025-59343
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
UBUNTU-CVE-2025-59343
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
CVE-2025-59343
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
Linux Distros Unpatched Vulnerability : CVE-2025-48387
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified di...
UBUNTU-CVE-2025-48387
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore n...
CVE-2025-48387
Summary of CVE-2025-48387 (tar-fs) : A path-traversal risk in tar-fs bindings for tar-stream affects releases prior to 3.0.9, 2.1.3, and 1.16.5, where extracting certain tarballs can write outside the intended directory. The issue has been fixed in 3.0.9, 2.1.3, and 1.16.5. As a workaround, you c...
tar-fs 路径遍历漏洞
tar-fs is a tar-stream filesystem bundle by the individual developer Mathias Buus. A path traversal vulnerability exists in tar-fs versions prior to 3.0.9, which stems from the ability to write outside of a specified directory when extracting, potentially leading to arbitrary file writes...
source-to-image: Improper path sanitization in ExtractTarStreamFromTarReader in tar/tar.go
A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation...
source-to-image: Improper path sanitization in ExtractTarStreamFromTarReader in tar/tar.go
A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation...