CVE-2021-29136: umoci 0.4.6 and earlier can be tricked into modifying host files by creating a malicious layer that has a symlink with the name "." (or "/"). Because umoci deletes inodes if they change types, this results in the rootfs directory being replaced with an attacker-controlled symlink. Subsequent image layers will then be applied on top of the target of the symlink (which could be any directory on the host filesystem the user running umoci has access to). While umoci does have defences against symlink-based attacks, they are all implemented by resolving things relative to the rootfs directory -- if the rootfs itself is a symlink, umoci resolves it first. This vulnerability affects both "umoci unpack" and "umoci raw unpack". Fixed in 0.4.7. Please bump.
According to upstream, <sys-cluster/singularity-3.7.3 is vulnerable to this as well.
Package list is empty or all packages have requested keywords.