CVE-2021-29136

Name of the Vulnerable Software and Affected Versions: Open Container Initiative umoci versions prior to 0.4.7

Description: The issue allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. This is due to improper input validation in umoci. The vulnerability can be exploited by creating a malicious layer with a symlink, which can trick umoci into modifying host files. This affects both "umoci unpack" and "umoci raw unpack" commands.

Recommendations: For versions prior to 0.4.7, update to version 0.4.7 or later to resolve the issue. As a temporary workaround, consider running umoci under an LSM profile such as AppArmor or SELinux to restrict the level of access it has outside of container image directories. If using umoci as an unprivileged user with the --rootless flag, umoci will not be able to overwrite any files that the user doesn't have access to, which can serve as a mitigation.