Bug 2157840 (CVE-2018-25046)

Summary: CVE-2018-25046 cloudfoundry/archiver: improper path sanitization can result in files being extracted outside of the target directory
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the cloudfoundry/archiver package. In affected versions of this package, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory due to improper path sanitization.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2156778    

Description Avinash Hanwate 2023-01-03 08:00:11 UTC 
Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

https://github.com/cloudfoundry/archiver/commit/09b5706aa9367972c09144a450bb4523049ee840
https://pkg.go.dev/vuln/GO-2020-0025
https://snyk.io/research/zip-slip-vulnerability