Openshift Enterprise through version 3.6 has does not properly sanitize archived filenames in source-to-image/pkg/tar/tar.go:ExtractTarStreamFromTarReader(). An attacker can exploit this with a malicous container to overwrite files on client machines when clients use "oc rsync" to connect to that container.
This is a related but separate issue to CVE-2018-1102.
Name: Michael Hanselmann (Independent)
Created source-to-image tracking bugs for this issue:
Affects: fedora-all [bug 1590175]