Melange Path Traversal Vulnerability Allowing File Overwrite on Host

A path traversal vulnerability has been identified in Melange versions 0.11.3 prior to 0.40.3. The issue arises in the 'retrieveWorkspace' function, which extracts tar entries without proper path validation. This flaw allows an attacker to manipulate the tar stream from a QEMU guest VM, using '../' sequences to write files outside the designated workspace directory on the host. In privileged container contexts, this could lead to unauthorized access or modification of critical system files, such as those in the /etc directory or binary files in /usr/bin.

Impact

Exploitation of this vulnerability could result in unauthorized file writes on the host system, potentially overwriting important files or binaries. In privileged container environments, this could allow for escape from the container and access to the host system.

Reproduction

To reproduce this vulnerability, create a tar archive containing malicious path entries that exploit the path traversal flaw. This archive can be injected into a QEMU guest VM running Melange. When the 'retrieveWorkspace' function processes the tar entries, the malicious paths will escape the intended workspace directory and overwrite files on the host.

Remediation

Users can upgrade to Melange version 0.40.5 or later, where this vulnerability has been patched.