arr-pm 0.0.11
arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm
high severity CVE-2022-39224>= 0.0.12
Impact
Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious "payload compressor" field.
This vulnerability impacts the extract
and files
methods of the
RPM::File
class in the affected versions of this library.
Patches
Version 0.0.12 is available with a fix for these issues.
Workarounds
When using an affected version of this library (arr-pm), ensure any RPMs being processed contain valid/known payload compressor values. Such values include: gzip, bzip2, xz, zstd, and lzma.
You can check the payload compressor field in an rpm by using the rpm command line tool. For example:
% rpm -qp example-1.0-1.x86_64.rpm --qf "%{PAYLOADCOMPRESSOR}\n"
gzip
Impact on known dependent projects
This library is used by fpm. The
vulnerability may impact fpm only when using the flag -s rpm
or
--input-type rpm
to convert a malicious rpm to another format. It does
not impact creating rpms.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.