Nixpkgs security tracker
8.2 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Activity log
- Created suggestion
melange QEMU runner could write files outside workspace directory
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
References
Affected products
- ==>= 0.11.3, < 0.40.3
Matching in nixpkgs
pkgs.melange
Build APKs from source code
pkgs.ocamlPackages.melange
Toolchain to produce JS from Reason/OCaml
pkgs.ocamlPackages.melange-json
Compositional JSON encode/decode library and PPX for Melange and OCaml
pkgs.ocamlPackages_latest.melange
Toolchain to produce JS from Reason/OCaml
-
nixos-unstable -
- nixpkgs-unstable 6.0.1-54
pkgs.ocamlPackages.melange-json-native
Compositional JSON encode/decode PPX for OCaml
pkgs.ocamlPackages_latest.melange-json
Compositional JSON encode/decode library and PPX for Melange and OCaml
-
nixos-unstable -
- nixpkgs-unstable 2.0.0
pkgs.ocamlPackages_latest.melange-json-native
Compositional JSON encode/decode PPX for OCaml
-
nixos-unstable -
- nixpkgs-unstable 2.0.0
Package maintainers
-
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
-
@GirardR1006 Julien Girard-Satabin <julien.girard2@cea.fr>