CVE-2020-14352: 
NixOS vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2020-14352) was discovered in librepo versions before 1.12.1. The vulnerability stems from the software's failure to properly sanitize paths in remote repository metadata. This vulnerability was discovered by Sergei Iudin and was publicly disclosed on August 30, 2020 (NVD).

The vulnerability exists in the preparerepodownloadstdtarget() and preparerepodownloadzcktarget() functions in yum.c. These functions concatenate 'handle->destdir' and 'record->locationhref' without proper path validation, potentially allowing path traversal via malformed location paths like '../../../../'. The vulnerability has a CVSS v3.1 base score of 8.0 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD, [Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=1866498)).

An attacker controlling a remote repository could potentially copy files outside of the destination directory on the targeted system via path traversal. Since DNF runs as root, this vulnerability could lead to system compromise through the overwriting of critical system files. The highest threat from this flaw affects users that make use of untrusted third-party repositories (NVD).

The vulnerability was fixed in librepo version 1.12.1. The fix includes proper path validation for paths read from repomd.xml. For systems that cannot be immediately updated, the recommended mitigation is to avoid downloading software from untrusted third-party mirrors. Red Hat users operating with official repositories are protected as these repositories are fully trusted and controlled by Red Hat (Red Hat Bugzilla).