VYPR
← All advisories
Medium severity6.1GHSA Advisory· Published May 29, 2026

Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta

CVE-2026-47121

Description

Summary

Binary delta apply intermediate-symlink traversal in malicious .delta

Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relative path. Autoupdate/SPUSparkleDeltaArchive.m's extractItem: will create symlinks in the destination tree from archive content (no .. check on the symlink target), and a subsequent Extract item targeting /foo/bar then escapes the destination tree via fopen(path, "wb") because the kernel resolves the intermediate symlink during the open call.

This is a defense-in-depth issue: exploitation requires a maliciously-crafted .delta that passes EdDSA signature verification, i.e. EdDSA private-key compromise. With the AppInstaller running as root for system-domain installs, it gives the holder of a stolen signing key arbitrary file write at root level via the delta-apply path, which is a strictly broader primitive than the "drop-in replacement bundle" install they would otherwise have.

Affected versions: 1.x (master branch), 2.x branch including 2.9.1.

Details

Symlink writeable from archive

Autoupdate/SPUSparkleDeltaArchive.m:557-678's extractItem: handles symlinks if the archive item carries S_ISLNK(mode):

} else {
    // Link files

    if (PARTIAL_IO_CHUNK_SIZE < decodedLength) { ...too long... }
    if (decodedLength > PATH_MAX) { ...too long... }

    char buffer[PATH_MAX + 1] = {0};
    if (![self _readBuffer:buffer length:(int32_t)decodedLength]) { ... }

    NSString *destinationPath = [fileManager stringWithFileSystemRepresentation:buffer length:decodedLength];

    [fileManager removeItemAtPath:itemFilePath error:NULL];

    NSError *createLinkError = nil;
    if (![fileManager createSymbolicLinkAtPath:itemFilePath withDestinationPath:destinationPath error:&createLinkError]) {
        _error = createLinkError;
        return NO;
    }
    ...
    lchmod(itemFilePathString, mode);
}

The link's destinationPath is taken verbatim from the archive content with only a length cap; absolute paths and .. are accepted. After this item is processed, the destination tree contains a symlink that points outside it.

Parent-symlink check is shallow

Autoupdate/SUBinaryDeltaApply.m:177-207:

[archive enumerateItems:^(SPUDeltaArchiveItem *item, BOOL *stop) {
    NSString *relativePath = item.relativeFilePath;

    if ([relativePath.pathComponents containsObject:@".."]) {
        ...reject...
    }

    NSString *sourceFilePath = [source stringByAppendingPathComponent:relativePath];
    NSString *destinationFilePath = [destination stringByAppendingPathComponent:relativePath];
    {
        NSString *destinationParentDirectory = destinationFilePath.stringByDeletingLastPathComponent;
        NSDictionary<NSFileAttributeKey, id> *destinationParentDirectoryAttributes = [fileManager attributesOfItemAtPath:destinationParentDirectory error:NULL];

        // It is OK for the directory parent to not exist if it has already been removed
        if (destinationParentDirectoryAttributes != nil) {
            NSString *fileType = destinationParentDirectoryAttributes[NSFileType];
            if ([fileType isEqualToString:NSFileTypeSymbolicLink]) {
                ...reject...
            }
        }
    }
    ...
}];

Two gaps:

  1. The check inspects only destinationParentDirectory (one level up), not all intermediate components. For a relative path a/b/c.txt, the kernel resolves through any symlink at component a. attributesOfItemAtPath: with the resolved path returns attributes of the resolved-through directory, which is NSFileTypeDirectory (not NSFileTypeSymbolicLink), so the check passes.
  1. The check is skipped entirely if destinationParentDirectoryAttributes == nil (line 195). When the symlink target is to a directory that does not contain the named subpath, the parent appears not to exist and the check is skipped. The subsequent fopen(path, "wb") then creates the file along the resolved path.

Write primitive

For an item with SPUDeltaItemCommandExtract set, SUBinaryDeltaApply.m:354-365 calls [archive extractItem:item] which goes through SPUSparkleDeltaArchive.m:574-622 for regular files:

[fileManager removeItemAtPath:itemFilePath error:NULL];

char itemFilePathString[PATH_MAX + 1] = {0};
if (![itemFilePath getFileSystemRepresentation:itemFilePathString maxLength:sizeof(itemFilePathString) - 1]) { ... }

FILE *outputFile = fopen(itemFilePathString, "wb");

fopen(path, "wb") follows symlinks at every path component and creates/truncates the file at the resolved path. If /a is a symlink to /Library/LaunchDaemons (for a root install) and the relative path is a/com.attacker.plist, the call writes /Library/LaunchDaemons/com.attacker.plist.

The chmod follow-up at SUBinaryDeltaApply.m:335 (chmod(destinationFilePath.fileSystemRepresentation, sourceFileInfo.st_mode)) and SPUSparkleDeltaArchive.m:619 (chmod(itemFilePathString, mode)) likewise follows symlinks, so attacker-chosen permissions land on the attacker-chosen target.

Threat model

This primitive is reachable only when the archive can pass EdDSA signature verification, which requires either:

  • The developer's private signing key has been compromised, or
  • A separate vulnerability allows bypassing SUSignatureVerifier (none was identified in this review).

Given a stolen private key, the attacker already has the ability to push a normal full-bundle update. The delta-apply traversal grants strictly more: arbitrary file write into directories outside ``. When the AppInstaller runs in the system domain (root), this becomes arbitrary file write as root, which is qualitatively broader than "replace the app bundle".

It is therefore worth fixing as a defense-in-depth measure, even though the prerequisite (key compromise) is itself a worst case.

PoC

The PoC requires a valid EdDSA signature on the malicious .delta archive. With a test signing key under your control (any Sparkle test fixture key), generate a delta as follows:

  1. Construct the archive payload with two items, in this order, using the SPUSparkleDeltaArchive writer (or by hand-assembling the format described in SPUSparkleDeltaArchive.m and SPUDeltaArchiveProtocol.h):
Item 1:
  relativeFilePath = "Contents/Resources/escape"
  commands         = SPUDeltaItemCommandExtract  (= 0x02)
  mode             = S_IFLNK | 0o755             (= 0xA1ED)
  payload          = "/Library/LaunchDaemons"

Item 2:
  relativeFilePath = "Contents/Resources/escape/com.attacker.persistence.plist"
  commands         = SPUDeltaItemCommandExtract  (= 0x02)
  mode             = S_IFREG | 0o644             (= 0x81A4)
  payload          =
  1. Sign the archive with the test EdDSA key, publish it as a delta enclosure with matching sparkle:edSignature, and host it from a feed pointed at by a Sparkle host whose old-bundle public key matches.

3. Trigger a system-domain install. The flow: - applyBinaryDelta enumerates items. - Item 1 passes the .. check (the path components are Contents, Resources, escape - no ..). The parent Contents/Resources exists in the source-copy and is a directory, not a symlink. The check passes. extractItem: for S_ISLNK(mode) calls createSymbolicLinkAtPath:withDestinationPath: and creates /Contents/Resources/escape -> /Library/LaunchDaemons. - Item 2 passes the .. check. Its parent /Contents/Resources/escape resolves through the just-created symlink to /Library/LaunchDaemons, whose attributes are returned as NSFileTypeDirectory (not symlink). The check passes. - extractItem: for S_ISREG(mode) does removeItemAtPath (no-op, target file does not yet exist) then fopen("/Contents/Resources/escape/com.attacker.persistence.plist", "wb"). The kernel resolves the symlink and creates /Library/LaunchDaemons/com.attacker.persistence.plist. - The hash check at the end of applyBinaryDelta (getRawHashOfTreeWithVersion(afterHash, finalDestination, ...)) is computed only against finalDestination. The file dropped at /Library/LaunchDaemons/ is outside that tree and does not affect the hash. The hash check still passes (or, if it does not because the dest tree is missing the file, the dropped LaunchDaemon plist is still left behind - destination cleanup at line 471 only removes finalDestination, not the escape target).

  1. Observed result: a root-owned LaunchDaemon plist exists at /Library/LaunchDaemons/com.attacker.persistence.plist. On next reboot it is launched as root.

A simpler proof-of-concept that does not require a system-domain install: target a user-writable directory (e.g. ~/Library/LaunchAgents/), use a user-domain Sparkle host. The same item-pair lands a user-level LaunchAgent at next login.

Impact

Defense-in-depth gap: the holder of a compromised EdDSA signing key gains a primitive (arbitrary file write at the privilege of the AppInstaller process) that exceeds what an "install a malicious bundle" path provides. For system-domain installs this is arbitrary file write as root, including locations outside the target app bundle (/Library/LaunchDaemons, /etc/... subpaths that exist as directories, /usr/local/, etc.).

Recommended fix: in SUBinaryDeltaApply.m, walk every component of relativePath and reject if any intermediate component is a symlink (or refuse to allow the archive to create symlinks during apply at all, given the limited number of legitimate use cases for symlinks inside an .app bundle and the existing lchmod already in place). Cleanup on failure should also removeTree along the symlink target, not just finalDestination.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Binary delta apply in Sparkle allows symlink traversal via malicious .delta, enabling arbitrary file write if EdDSA key is compromised.

Vulnerability

The vulnerability resides in Autoupdate/SUBinaryDeltaApply.m and Autoupdate/SPUSparkleDeltaArchive.m. The code in SUBinaryDeltaApply.m checks for .. in relative paths and rejects writes whose immediate parent directory is a symbolic link, but it does not detect symlinks deeper in the relative path. In SPUSparkleDeltaArchive.m's extractItem:, symlinks are created from archive content without validating the symlink target for ... A subsequent Extract item targeting /foo/bar can escape the destination tree via fopen(path, "wb") because the kernel resolves the intermediate symlink during the open call. Affected versions include the 1.x (master branch) and 2.x branch, including 2.9.1. [1][2]

Exploitation

Exploitation requires a maliciously-crafted .delta file that passes EdDSA signature verification, meaning the attacker must have compromised the EdDSA private key. The attacker crafts a delta archive containing a symlink item pointing to an arbitrary directory (e.g., /etc), then an Extract item that writes a file through that symlink. The kernel resolves the intermediate symlink during fopen, allowing file write outside the intended destination tree. [1][2]

Impact

Successful exploitation gives the attacker arbitrary file write at the privilege level of the AppInstaller. For system-domain installs, AppInstaller runs as root, so the attacker gains root-level arbitrary file write. This is a broader primitive than the intended "drop-in replacement bundle" install. [1][2]

Mitigation

As of the advisory publication date (2026-05-29), no fix has been released. The issue is a defense-in-depth vulnerability; the primary mitigation is to protect the EdDSA signing key. Users should ensure that only trusted delta files are applied. The advisory recommends monitoring for updates from the Sparkle project. [1][2]

References
  1. CVE-2026-47121 - GitHub Advisory Database
  2. Binary delta apply intermediate-symlink traversal in malicious .delta

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
6276ba2b4048

Update Package management files for version 2.9.2

https://github.com/sparkle-project/SparkleSparkle-BotMay 17, 2026Fixed in 2.9.2via release-tag
commit
2 files changed · +2 2
  • Configurations/ConfigCommon.xcconfig+1 1 modified
    @@ -104,7 +104,7 @@ SPARKLE_VERSION_PATCH = 2
 // This should be in SemVer format or empty, ie. "-beta.1"
 // These variables must have a space after the '=' too
 SPARKLE_VERSION_SUFFIX =
-CURRENT_PROJECT_VERSION = 2056
+CURRENT_PROJECT_VERSION = 2057
 
 MARKETING_VERSION = $(SPARKLE_VERSION_MAJOR).$(SPARKLE_VERSION_MINOR).$(SPARKLE_VERSION_PATCH)$(SPARKLE_VERSION_SUFFIX)
 ALWAYS_SEARCH_USER_PATHS = NO
  • Package.swift+1 1 modified
    @@ -5,7 +5,7 @@ import PackageDescription
 let version = "2.9.2"
 // Tag is required to point towards the right asset. SPM requires the tag to follow semantic versioning to be able to resolve it.
 let tag = "2.9.2"
-let checksum = "3fc29783fc6d26c6bae98dfaa336e80e5b5b14d4db1c3adb3ac962064c7bb01a"
+let checksum = "b83e37436774556ed055e0244b297ef2c790e0737393bf65bf495fcbba6eed65"
 let url = "https://github.com/sparkle-project/Sparkle/releases/download/\(tag)/Sparkle-for-Swift-Package-Manager.zip"
 
 let package = Package(

Vulnerability mechanics

Root cause

"The symlink-parent check in `SUBinaryDeltaApply.m` only inspects the immediate parent directory, not all intermediate path components, allowing a symlink created earlier in the archive to redirect a subsequent file write outside the destination tree."

Attack vector

An attacker crafts a malicious `.delta` archive containing two items: first a symlink pointing to an arbitrary absolute path (e.g. `/Library/LaunchDaemons`), then a regular file whose relative path traverses through that symlink. The `..` check in `SUBinaryDeltaApply.m` is bypassed because the path contains no `..` components, and the parent-symlink check only inspects one level up. The kernel resolves the intermediate symlink during `fopen`, writing the file to the attacker-chosen location outside the bundle. Exploitation requires the archive to pass EdDSA signature verification, meaning the attacker must possess the developer's private signing key [ref_id=1][ref_id=2].

Affected code

`Autoupdate/SUBinaryDeltaApply.m` (lines 177–207) only checks whether the immediate parent directory is a symlink, not intermediate components. `Autoupdate/SPUSparkleDeltaArchive.m` (lines 557–678) creates symlinks from archive content without validating the symlink target. The `fopen(path, "wb")` call in `SPUSparkleDeltaArchive.m:574-622` follows kernel symlink resolution, allowing writes outside the destination tree.

What the fix does

The patch at commit `6276ba2b404829d139c45ff98427cf90e2efc59b` [patch_id=3106497] addresses the gap by walking every path component of `relativePath` and rejecting the item if any intermediate component is a symlink. This prevents the kernel from resolving a symlink buried deeper in the path during the subsequent `fopen` call. The fix also ensures that cleanup on failure removes files along the symlink target, not just `finalDestination`.

Preconditions

  • authThe attacker must possess a valid EdDSA signing key that matches the Sparkle host's public key
  • inputThe malicious .delta archive must pass EdDSA signature verification
  • configThe Sparkle host must be configured to apply binary delta updates
  • configFor system-domain installs, the AppInstaller runs as root, making the write primitive root-level

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.