Tar path traversal in stereoscope when processing OCI tar archives
Description
stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of github.com/anchore/stereoscope/pkg/file.UntarToDirectory() function, the github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider struct, or the higher level github.com/anchore/stereoscope/pkg/image.Image.Read() function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/anchore/stereoscopeGo | < 0.0.1 | 0.0.1 |
Affected products
14- osv-coords13 versionspkg:apk/chainguard/grypepkg:apk/chainguard/k9spkg:apk/chainguard/kubescapepkg:apk/chainguard/syftpkg:apk/chainguard/wolfictlpkg:apk/chainguard/zarfpkg:apk/wolfi/grypepkg:apk/wolfi/k9spkg:apk/wolfi/kubescapepkg:apk/wolfi/syftpkg:apk/wolfi/wolfictlpkg:apk/wolfi/zarfpkg:golang/github.com/anchore/stereoscope
< 0.74.4-r0+ 12 more
- (no CPE)range: < 0.74.4-r0
- (no CPE)range: < 0.31.8-r0
- (no CPE)range: < 3.0.3-r7
- (no CPE)range: < 0.103.1-r0
- (no CPE)range: < 0.14.13-r0
- (no CPE)range: < 0.32.3-r0
- (no CPE)range: < 0.74.4-r0
- (no CPE)range: < 0.31.8-r0
- (no CPE)range: < 3.0.3-r7
- (no CPE)range: < 0.103.1-r0
- (no CPE)range: < 0.14.13-r0
- (no CPE)range: < 0.32.3-r0
- (no CPE)range: < 0.0.1
- anchore/stereoscopev5Range: < 0.0.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-hpxr-w9w7-g4gvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24579ghsaADVISORY
- github.com/anchore/stereoscope/commit/09dacab4d9ee65ee8bc7af8ebf4aa7b5aaa36204ghsax_refsource_MISCWEB
- github.com/anchore/stereoscope/security/advisories/GHSA-hpxr-w9w7-g4gvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.