Llfam

**Name of the Vulnerable Software and Affected Versions** container versions prior to 0.8.0 containerization versions prior to 0.21.0 **Description** The `ArchiveReader.extractContents()` function, utilized by `cctl image load` and container image load, lacks proper pathname validation during archive extraction. This allows a crafted archive to extract files to arbitrary user-writable locations on the system using relative pathnames. The vulnerable code resides in `Reader.swift` at line 180. A proof-of-concept script, `make-evil-tar.py`, demonstrates the creation of a malicious archive that can write a file to a user-specified location. This issue impacts users of `cctl image load` within the containerization project and any dependent projects leveraging the `extractContent()` function, as well as users of `container image load`. The issue does not represent a privilege escalation, as files are only written to already user-writable locations. **Recommendations** Update to container version 0.8.0 or later. Update to containerization version 0.21.0 or later.