CVE-2022-4572: 
Python vulnerability analysis and mitigation

A path traversal vulnerability was discovered in UBI Reader versions up to 0.8.0, identified as CVE-2022-4572. The vulnerability affects the ubireaderextractfiles function in the ubireader/ubifs/output.py component of the UBIFS File Handler. The issue was disclosed on December 16, 2022 and has been fixed in version 0.8.5 (NVD, GitHub PR).

The vulnerability stems from improper validation of file paths during extraction. The ubireaderextractfiles function would consider node names (dent_node.name) as trusted input and join them directly to the extraction directory path during processing. This implementation allowed for path traversal through specially crafted UBIFS files containing malicious node names with path traversal payloads (e.g., '../../tmp/outside.txt'). The issue has been assigned a CVSS v3.1 Base Score of 7.1 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) (NVD).

When exploited, this vulnerability could allow an attacker to write files outside of the intended extraction directory, potentially overwriting existing files on the system. The impact is particularly severe if the UBI Reader is run with elevated privileges, which is sometimes necessary for creating block devices (GitHub PR).

The vulnerability has been fixed in UBI Reader version 0.8.5. The fix implements proper path validation through a new issafepath function that checks if the target path stays within the intended base directory. Users are strongly recommended to upgrade to version 0.8.5 or later to address this security issue (GitHub Patch).