CVE-2020-26312

Name of the Vulnerable Software and Affected Versions Dotmesh versions 0.8.1 and prior

Description The issue is related to the unsafe handling of symbolic links in an unpacking routine, which may enable attackers to read and/or write to arbitrary locations outside the designated target folder. The routine untarFile attempts to guard against creating symbolic links that point outside the directory a tar archive is extracted to. However, a malicious tarball can exploit this vulnerability by first linking subdir/parent to .. and then linking subdir/parent/escapes to .., resulting in a symbolic link pointing to the tarball’s parent directory. This may lead to arbitrary file write with the same permissions as the program running the unpack operation if the attacker can control the archive file. Additionally, if the attacker has read access to the unpacked files, they may be able to read arbitrary system files the parent process has permissions to read.

Recommendations As a temporary workaround, consider disabling the untarFile routine until a patch is available. Restrict access to the unpacked files to minimize the risk of exploitation. Avoid using the subdir/parent and subdir/parent/escapes links in the affected tarball until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.