References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-22

CWE-59

https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442

https://github.com/chainguard-dev/apko/pull/2187

https://github.com/chainguard-dev/apko/releases/tag/v1.2.5

https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6