A vulnerability was found in the galaxy importer of Ansible Automation Hub. The tarball extraction code is open to abuse in several ways (relative paths in the middle of a path, as well as symlinks that target arbitrary paths). If used to extract user-provided tarballs, this flaw could lead to arbitrary file overwrite.
Are there any details you can share about this issue? Is there an upstream report about it? Is an upstream fix known?
Redirecting NEEDINFO to Vipul who worked on this CVE and should be able to shed some light on it. As far as I know, the affected code can be found in _extract_archive() in galaxy-importer/collection.py. I do not know if there is a patch or any upstream discussions about it, though.
The affected code can be found at https://github.com/ansible/galaxy-importer/blob/2c5c7c05fdfb0835878234b36de32902c703616d/galaxy_importer/collection.py#L160-L165
It does not protect against `..` in the middle of paths, nor does it protect against directory traversals in `linkname` only `name`.
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Via RHSA-2023:7773 https://access.redhat.com/errata/RHSA-2023:7773