"Prior to Binwalk v2.3.3, extracted archives could create symlinks which point anywhere on the file system, potentially resulting in a directory traversal attack if subsequent extraction utilties blindly follow these symlinks. More generically, Binwalk makes use of many third-party extraction utilties which may have unpatched security issues; Binwalk v2.3.3 and later allows external extraction tools to be run as an unprivileged user using the `run-as` command line option (this requires Binwalk itself to be run with root privileges). Additionally, Binwalk v2.3.3 and later will refuse to perform extraction as root unless `--run-as=root` is specified."
Please cleanup
Why would this depend on binwalk-2.3.4? Anyway, cleanup was done in 8875a03087f1a8c5bc3d8615ea510dceae16d799.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=a522416d0d59ed1f4e1d69e41885666abf6d880a commit a522416d0d59ed1f4e1d69e41885666abf6d880a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-09-17 06:32:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-09-17 06:33:22 +0000 [ GLSA 202309-07 ] Binwalk: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/820614 Bug: https://bugs.gentoo.org/903652 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202309-07.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
