CVE-2020-29529

NameCVE-2020-29529
DescriptionHashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs976873

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-hashicorp-go-slug (PTS)bullseye0.5.0-2fixed
bookworm0.9.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-hashicorp-go-slugsource(unstable)0.5.0-1976873

Notes

https://github.com/hashicorp/go-slug/pull/12
Search for package or bug name: Reporting problems