MEDIUM🇬🇧 English

CVE-2026-29051

CVSS 4.4v3.1pub. 2026-04-24upd. 2026-04-27

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. The issue is fixed in melange v0.43.4 by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit 84f3b45). As a workaround, do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.

oryginał EN
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
  • Chainguard Melange

    APP
    Chainguard
    0.32.0 – 0.43.4 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2026-24843HIGH8.2ten sam produkt

melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an...

CVE-2026-24844HIGH7.9ten sam produkt

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, a...

CVE-2026-25143HIGH7.8ten sam produkt

melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, ...

CVE-2026-29050MEDIUM6.1ten sam produkt

melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior t...

CVE-2026-29049MEDIUM4.3ten sam produkt

melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior, melange u...