CVE-2026-42574: apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the sanitizePath helper in pkg/apk/fs/rwosfs.go, which rejected only lexical .. traversal and did not resolve or refuse symlinks. Every disk-backed DirFS method that handed its caller-supplied path to a symlink-following stdlib call — ReadFile, WriteFile, Chmod, Chown, Chtimes, MkdirAll, Mkdir, and Mknod — was affected. The reachable primitive from a malicious APK during tar extraction is the MkdirAll / Mkdir / WriteFile chain via apko build-cpio and disk-backed consumers such as melange; the remaining sinks are reachable by direct callers of the pkg/apk/fs package. The in-memory tarfs install path used by apko build, apko publish, and apko build-minirootfs is not affected.