Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cm0yLTkzbXEtanFoY84ABANU
Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory.
Impact
A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory.
Patches
Please use version 4.0.0 or later github.com/codeclysm/extract/v4. Any previous version is affected by the bug.
Workarounds
No knows workarounds.
Backward compatibility notes about upgrading to /v4 from /v3
If you're not using the extract.Extractor.FS interface, you will not face any breaking changes and upgrading should be as simple as changing the import to /v4. This should be the case for most of the userbase.
If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added:
type FS interface {
Link(string, string) error
MkdirAll(string, os.FileMode) error
OpenFile(name string, flag int, perm os.FileMode) (*os.File, error)
Symlink(string, string) error
// The following methods have been added in the /v4 interface:
Remove(path string) error
Stat(name string) (os.FileInfo, error)
Chmod(name string, mode os.FileMode) error
}
There should be no other breaking changes in the /v4 API.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cm0yLTkzbXEtanFoY84ABANU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 days ago
Updated: 4 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-8rm2-93mq-jqhc, CVE-2024-47877
References:
- https://github.com/codeclysm/extract/security/advisories/GHSA-8rm2-93mq-jqhc
- https://github.com/codeclysm/extract/commit/4a98568021b8e289345c7f526ccbd7ed732cf286
- https://nvd.nist.gov/vuln/detail/CVE-2024-47877
- https://github.com/advisories/GHSA-8rm2-93mq-jqhc
Blast Radius: 10.8
Affected Packages
go:github.com/codeclysm/extract
Dependent packages: 38Dependent repositories: 109
Downloads:
Affected Version Ranges: <= 2.2.0
No known fixed version
All affected versions: 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.1.0, 2.1.1, 2.2.0
go:github.com/codeclysm/extract/v4
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 4.0.0
Fixed in: 4.0.0
All affected versions:
All unaffected versions:
go:github.com/codeclysm/extract/v3
Dependent packages: 47Dependent repositories: 66
Downloads:
Affected Version Ranges: <= 3.1.1
No known fixed version
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1