Listen to this Post
The vulnerability resides in the `retrieveWorkspace` function of the melange build system’s QEMU runner. When building packages in a virtualized environment, melange uses QEMU to run a guest VM. After execution, the guest’s workspace is sent to the host as a tar archive via a virtualized serial device. The `retrieveWorkspace` function on the host extracts this incoming tar stream. The function fails to properly sanitize file paths within the archive before extraction. An attacker with control over the guest VM, or who can maliciously influence the data sent over this channel, can craft a tar entry containing path traversal sequences (e.g., ../../etc/passwd). During extraction on the host, these sequences are not normalized or confined to the intended workspace directory, leading to arbitrary file write anywhere the host process has permissions.
Platform: melange
Version: Pre-6e243d0d
Vulnerability: Path Traversal
Severity: Critical
Date: 2026-02-03
Prediction: Patched 2026-02-03
What Undercode Say:
Checking for the vulnerable function pattern grep -n "retrieveWorkspace" pkg/runner/qemu.go Simulating malicious tar creation tar cvf payload.tar ../../../../tmp/exploit
How Exploit:
1. Compromise build guest.
2. Craft tar with `../` paths.
3. Send to host via serial.
Protection from this CVE:
Update to commit `6e243d0d` or later. Implement path sanitization before file extraction.
Impact:
Host system arbitrary file write. Potential full host compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

