Chris Smowton

**Name of the Vulnerable Software and Affected Versions** Dotmesh versions 0.8.1 and prior **Description** The issue is related to the unsafe handling of symbolic links in an unpacking routine, which may enable attackers to read and/or write to arbitrary locations outside the designated target folder. The routine `untarFile` attempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball can exploit this vulnerability by first linking `subdir/parent` to `..` and then linking `subdir/parent/escapes` to `..`, resulting in a symbolic link pointing to the tarball’s parent directory. This may lead to arbitrary file write with the same permissions as the program running the unpack operation if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, they may be able to read arbitrary system files the parent process has permissions to read. **Recommendations** As a temporary workaround, consider disabling the `untarFile` routine until a patch is available. Restrict access to the unpacked files to minimize the risk of exploitation. Avoid using the `subdir/parent` and `subdir/parent/escapes` links in the affected tarball until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bblfshd versions before commit 4265465b9b6fb5663c30ee43806126012066aad4 **Description** The issue is related to a "zipslip" vulnerability in the unpacking routine, which may allow attackers to read and/or write to arbitrary locations outside the designated target folder due to the unsafe handling of symbolic links. This can lead to arbitrary file write with the same permissions as the program running the unpack operation if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, they may be able to read arbitrary system files that the parent process has permissions to read. **Recommendations** For versions before commit 4265465b9b6fb5663c30ee43806126012066aad4, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the unpacking routine to minimize the risk of exploitation. Avoid using the vulnerable unpacking functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HashiCorp go-slug versions 0.4.3 and earlier **Description** The issue allows a malicious attacker to bypass protections against directory traversal during archive extraction by chaining multiple symbolic links within the archive. This enables the creation of files outside the target directory. If the attacker can read extracted files, they may create symbolic links to arbitrary files on the system that the unpacker has permissions to read. The vulnerability involves attempts at directory traversal using ../ and symlinks. **Recommendations** For HashiCorp go-slug versions 0.4.3 and earlier, update to version 0.5.0 to resolve the issue. As a temporary workaround, consider restricting the use of symbolic links within archives to minimize the risk of exploitation. Avoid using the `go-slug` tool to unpack archives from untrusted sources until the issue is resolved.