Melange Path Traversal Vulnerability in Lint and Build Pipelines

A path traversal vulnerability has been identified in Melange versions 0.32.0 prior to 0.43.4. The issue arises when using the opt-in flag '--persist-lint-results' with the 'melange lint' or 'melange build' commands. In these versions, the output file paths for lint results were constructed by combining the '--out-dir' option with the 'arch' and 'pkgname' values extracted from the APK's '.PKGINFO' control file. However, these values were not properly validated for path separators or parent directory sequences. As a result, an attacker could manipulate the 'arch' or 'pkgname' fields to write lint result files to arbitrary locations within the file system, potentially overwriting other JSON artifacts. This vulnerability only affects deployments that explicitly use the '--persist-lint-results' flag, which is off by default.

Impact

Exploitation of this vulnerability allows for path traversal, where an attacker can write files to arbitrary locations on the file system, clobbering existing JSON artifacts. While there is no direct code execution path, the vulnerability could disrupt other processes or applications relying on the overwritten JSON files.

Remediation

Users can upgrade to Melange version 0.43.4 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, do not use the '--persist-lint-results' flag when working with APKs whose '.PKGINFO' contents cannot be fully trusted. Additionally, running Melange as a low-privileged user and restricting file writes to a separate directory can help mitigate the impact.