Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 8fbc64677ec4 · 2026-04-23T21:56:41.000Z
GHSA-98f2-w9h9-7fp9 GHSA-q2pw-xx38-p64j
diff --git a/advisories/github-reviewed/2026/04/GHSA-98f2-w9h9-7fp9/GHSA-98f2-w9h9-7fp9.json b/advisories/github-reviewed/2026/04/GHSA-98f2-w9h9-7fp9/GHSA-98f2-w9h9-7fp9.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-98f2-w9h9-7fp9",
+  "modified": "2026-04-23T21:53:33Z",
+  "published": "2026-04-23T21:53:33Z",
+  "aliases": [
+    "CVE-2026-29050"
+  ],
+  "summary": "melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses",
+  "details": "### Impact\n\nAn attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set `pipeline[].uses` to a value containing `../` sequences or an absolute path. The `(*Compiled).compilePipeline` function in `pkg/build/compile.go` passed `uses` directly to `filepath.Join(pipelineDir, uses + \".yaml\")` without validating the value, so the resolved path could escape each `--pipeline-dir` and read an arbitrary YAML-parseable file visible to the melange process. Because the loaded file is subsequently interpreted as a melange pipeline and its `runs:` block is executed via `/bin/sh -c` in the build sandbox, this additionally allowed shell commands sourced from an out-of-tree file to run during the build, bypassing the review boundary that normally covers the in-tree pipeline definition.\n\n### Patches\n\nFixed in melange **v0.43.4** via commit [5829ca4](https://github.com/chainguard-dev/melange/commit/5829ca45cfe14dfeb73ffb716992db3b1b7892ac). The fix rejects `uses` values that are absolute paths or contain `..`, and verifies (via `filepath.Rel` after `filepath.Clean`) that the resolved target remains within the pipeline directory.\n\n### Workarounds\n\nOnly run `melange build` against configuration files from trusted sources. In CI systems that build user-supplied melange configs, gate builds behind manual review of `pipeline[].uses` values and reject any containing `..` or leading `/`.\n\n### Credits\n\nmelange thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for discovering and reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "chainguard.dev/melange"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.32.0"
+            },
+            {
+              "fixed": "0.43.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-98f2-w9h9-7fp9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/commit/5829ca45cfe14dfeb73ffb716992db3b1b7892ac"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/chainguard-dev/melange"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-23T21:53:33Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-q2pw-xx38-p64j/GHSA-q2pw-xx38-p64j.json b/advisories/github-reviewed/2026/04/GHSA-q2pw-xx38-p64j/GHSA-q2pw-xx38-p64j.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q2pw-xx38-p64j",
+  "modified": "2026-04-23T21:54:10Z",
+  "published": "2026-04-23T21:54:10Z",
+  "aliases": [
+    "CVE-2026-29051"
+  ],
+  "summary": "melange has Path Traversal via .PKGINFO in --persist-lint-results",
+  "details": "### Impact\n\n`melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default.\n\n### Patches\n\nFixed in melange **v0.43.4** by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit [84f3b45](https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac)).\n\n### Workarounds\n\nDo not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact.\n\n### Credits\n\nmelange thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for discovering and reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "chainguard.dev/melange"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.32.0"
+            },
+            {
+              "fixed": "0.43.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/security/advisories/GHSA-q2pw-xx38-p64j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/chainguard-dev/melange"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-23T21:54:10Z",
+    "nvd_published_at": null
+  }
+}
