GHSA-p799-q2pr-6mxj: go.rgst.io/stencil/v2 vulnerable to Path Traversal

Impact

The library used to extract archives (github.com/jaredallard/archives) was vulnerable to the “zip slip” vulnerability. This is used to extract native extension archives and repository source archives. A native extension or repository archive could be crafted in such a way where a remote code execution or modification/reading of a file is possible using the user who is running stencil.

The severity is marked as “medium” because native extensions have always considered to be “unsafe” to run when not trusted. Native extensions are arbitrary code being ran, which could always do this same exploit with less steps. The medium severity is to reflect that this could be done even when a user is not using a native extension, for example a repository source archive. However, one would need to mutate the archives provided by Github or perform some hackery with links, which may not be possible. Thus, “medium” is used out of an abundance of caution where I would’ve labeled this as "low".

Patches

Patched in 2.3.0 and above.

Workarounds

No workarounds are present.

References

GHSA-j95m-rcjp-q69h

References

• GHSA-j95m-rcjp-q69h
• GHSA-p799-q2pr-6mxj
• rgst-io/stencil#255
• rgst-io/stencil@5482fca