Nixpkgs security tracker
NIXPKGS-2026-0552
GitHub issue
published 3 months, 2 weeks ago
Permalink
CVE-2026-29064
8.2 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
by @mweinelt Activity log
- Created suggestion
- @mweinelt accepted
- @mweinelt published on GitHub
Zarf: Symlink targets in archives are not validated against destination directory
Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination directory, enabling arbitrary file read or write on the system processing the package. This issue has been patched in version 0.73.1.
References
-
https://github.com/zarf-dev/zarf/security/advisories/GHSA-hcm4-6hpj-vghm x_refsource_CONFIRM
-
https://github.com/zarf-dev/zarf/releases/tag/v0.73.1 x_refsource_MISC
Affected products
zarf
- ==>= 0.54.0, < 0.73.1
Matching in nixpkgs
pkgs.zarf
DevSecOps for Air Gap & Limited-Connection Systems. https://zarf.dev
pkgs.idrisPackages.hezarfen
Theorem prover for intuitionistic propositional logic in Idris, with metaprogramming features
-
nixos-unstable 2018-02-03
- nixpkgs-unstable 2018-02-03
- nixos-unstable-small 2018-02-03
Package maintainers
-
@brainrake Marton Boros <martonboros@gmail.com>
-
@ragingpastry Nick Wilburn <senior.crepe@gmail.com>