CVE-2022-39224

Name of the Vulnerable Software and Affected Versions Arr-pm versions prior to 0.0.12

Description The issue is related to OS command injection, which can result in shell execution if an RPM contains a malicious payload compressor field. This impacts the extract and files methods of the RPM::File class. To mitigate, ensure RPMs being processed contain valid payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an RPM can be checked using the rpm command line tool.

Recommendations For versions prior to 0.0.12, update to version 0.0.12 to patch the issue. As a temporary workaround, ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. Restrict access to the extract and files methods of the RPM::File class until the issue is resolved.