NIXPKGS-2026-0092

GitHub issue published 4 months, 2 weeks ago

Permalink CVE-2026-24843

8.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse ignored
6 packages
- ocamlPackages.melange
- ocamlPackages.melange-json
- ocamlPackages.melange-json-native
- ocamlPackages_latest.melange
- ocamlPackages_latest.melange-json
- ocamlPackages_latest.melange-json-native
4 months, 2 weeks ago
@LeSuisse accepted 4 months, 2 weeks ago
@LeSuisse published on GitHub 4 months, 2 weeks ago

melange QEMU runner could write files outside workspace directory

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.

References

https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4 x_refsource_CONFIRM
https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b x_refsource_MISC

Affected products

melange

==>= 0.11.3, < 0.40.3

Matching in nixpkgs

pkgs.melange

Build APKs from source code

nixos-unstable 0.34.1
- nixpkgs-unstable 0.34.1
- nixos-unstable-small 0.40.0

Ignored packages (6)

pkgs.ocamlPackages.melange

Toolchain to produce JS from Reason/OCaml

nixos-unstable 6.0.1-53
- nixpkgs-unstable 6.0.1-53
- nixos-unstable-small 6.0.1-53

pkgs.ocamlPackages.melange-json

Compositional JSON encode/decode library and PPX for Melange and OCaml

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.ocamlPackages_latest.melange

Toolchain to produce JS from Reason/OCaml

nixos-unstable 6.0.1-54
- nixpkgs-unstable 6.0.1-54
- nixos-unstable-small 6.0.1-54

pkgs.ocamlPackages.melange-json-native

Compositional JSON encode/decode PPX for OCaml

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.ocamlPackages_latest.melange-json