"Prior to Binwalk v2.3.3, extracted archives could create symlinks which point anywhere on the file system, potentially resulting in a directory traversal attack if subsequent extraction utilties blindly follow these symlinks. More generically, Binwalk makes use of many third-party extraction utilties which may have unpatched security issues; Binwalk v2.3.3 and later allows external extraction tools to be run as an unprivileged user using the `run-as` command line option (this requires Binwalk itself to be run with root privileges). Additionally, Binwalk v2.3.3 and later will refuse to perform extraction as root unless `--run-as=root` is specified."
Why would this depend on binwalk-2.3.4?
Anyway, cleanup was done in 8875a03087f1a8c5bc3d8615ea510dceae16d799.
The bug has been referenced in the following commit(s):
Author: GLSAMaker <email@example.com>
AuthorDate: 2023-09-17 06:32:11 +0000
Commit: Sam James <firstname.lastname@example.org>
CommitDate: 2023-09-17 06:33:22 +0000
[ GLSA 202309-07 ] Binwalk: Multiple Vulnerabilities
Signed-off-by: GLSAMaker <email@example.com>
Signed-off-by: Sam James <firstname.lastname@example.org>
glsa-202309-07.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)