| Name | CVE-2021-29136 |
| Description | Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| umoci (PTS) | buster | 0.4.4+dfsg-1 | vulnerable |
| bullseye | 0.4.7+ds-2 | fixed |
| bookworm | 0.4.7+ds-3 | fixed |
| sid, trixie | 0.4.7+ds-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| umoci | source | (unstable) | 0.4.7+ds-1 | | | |
Notes
[buster] - umoci <no-dsa> (Minor issue)
https://github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9v
https://github.com/opencontainers/umoci/commit/d9efc31daf2206f7d3fdb839863cf7a576a2eb57 (v0.4.7)