CVE-2022-39224: 
Ruby vulnerability analysis and mitigation

Arr-pm, a Ruby library for reading and writing RPM files, was found to contain a critical vulnerability (CVE-2022-39224) in versions prior to 0.0.12. The vulnerability was discovered and reported by Joern Schneeweisz, allowing OS command injection through malicious 'payload compressor' fields in RPM files (GitHub Advisory).

The vulnerability affects the extract and files methods of the RPM::File class. When processing RPM files, the library would execute shell commands based on the payload compressor field without proper validation, potentially leading to arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 score of 7.0 (High) with a vector string of CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

If exploited, this vulnerability could allow attackers to execute arbitrary shell commands through specially crafted RPM files. This particularly affects systems that process untrusted RPM files using the arr-pm library. The vulnerability impacts projects dependent on arr-pm, notably including the 'fpm' tool when converting RPM files to other formats (GitHub Advisory).

The vulnerability has been patched in version 0.0.12 of the arr-pm library. For users unable to upgrade immediately, a workaround is available by ensuring that RPMs being processed contain only valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field can be verified using the rpm command line tool (GitHub Advisory).