An attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts.
Fix: Merged in commit 2f95c9f4
Acknowledgements
melange thanks Oleh Konko (@1seal) from 1seal for discovering and reporting this issue.
0.40.3Exploitability
AV:LAC:LPR:NUI:RScope
S:UImpact
C:HI:NA:N5.5/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N