An attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline[].uses to a value containing ../ sequences or an absolute path. The (*Compiled).compilePipeline function in pkg/build/compile.go passed uses directly to filepath.Join(pipelineDir, uses + ".yaml") without validating the value, so the resolved path could escape each –pipeline-dir and read an arbitrary YAML-parseable file visible to the melange process. Because the …
melange lint –persist-lint-results (opt-in flag, also usable via melange build –persist-lint-results) constructs output file paths by joining –out-dir with the arch and pkgname values read from the .PKGINFO control file of the APK being linted. In affected versions these values were not validated for path separators or .. sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) …
melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions <= 0.40.5. Fix: Merged Acknowledgements melange thanks Oleh Konko from 1seal for discovering and reporting this issue.
An attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive …
An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. …
An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via ../ sequences.
An attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.}} or ${{inputs.}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping.