A vulnerability was found in all versions of the `oc` binary packaged in openshift-clients, limited to the `oc image extract` command. An arbitrary file read and/or write can be achieved using a specially crafted container image (.tar file) that holds symbolic links. When a symbolic link is first created pointing within the tarball this bypasses the existing path checks. Subsequent symbolic links can then be created to link outside of the tarball's parent directory. If an executable or configuration file can be overwritten as a result, the vulnerability can turn into arbitrary code execution.
Acknowledgments: Name: Chris Smowton (GitHub Security Lab)
Mitigation: The option `--only-files=true` can be specified to ensure that only files and directories from the image are extracted and symbolic links are ignored. While this means that if a image does implement malicious symbolic links, no links will be created outside the parent tarball. However, this does mean that if legitimate symbolic links are specific within the image these will also not be created.
Closing old flaw bug