arr-pm 0.0.3
arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm
high severity CVE-2022-39224>= 0.0.12
Impact
Arbitrary shell execution is possible when using RPM::File#files and RPM::File#extract if the RPM contains a malicious "payload compressor" field.
This vulnerability impacts the extract and files methods of the
RPM::File class in the affected versions of this library.
Patches
Version 0.0.12 is available with a fix for these issues.
Workarounds
When using an affected version of this library (arr-pm), ensure any RPMs being processed contain valid/known payload compressor values. Such values include: gzip, bzip2, xz, zstd, and lzma.
You can check the payload compressor field in an rpm by using the rpm command line tool. For example:
% rpm -qp example-1.0-1.x86_64.rpm --qf "%{PAYLOADCOMPRESSOR}\n"
gzip
Impact on known dependent projects
This library is used by fpm. The
vulnerability may impact fpm only when using the flag -s rpm or
--input-type rpm to convert a malicious rpm to another format. It does
not impact creating rpms.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a Apache-2.0 license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.