CVE-2024-24579— stereoscope 路径遍历漏洞

Tar path traversal in stereoscope when processing OCI tar archives

stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

对路径名的限制不恰当(路径遍历)

stereoscope 路径遍历漏洞

stereoscope是用于处理容器映像内容、图层文件树和压缩文件树的库。 stereoscope 0.0.1之前版本存在路径遍历漏洞，该漏洞源于当 Stereoscope 尝试取消存档内容时，将导致写入取消存档临时目录之外的路径。

N/A

N/A