CVE-2023-50255: 
NixOS vulnerability analysis and mitigation

Deepin-Compressor, the default archive manager of Deepin Linux OS, was found to contain a path traversal vulnerability (CVE-2023-50255) prior to version 5.12.21. The vulnerability was discovered and reported by security researcher Febin, with a CVSS v3.1 score of 9.3 (CRITICAL) according to GitHub's assessment (GitHub Advisory).

The vulnerability stems from improper validation of file names during the decompression of zip archives. When processing archive contents, the application fails to properly sanitize file paths, allowing attackers to use '../' prefixes in filenames to achieve path traversal. This vulnerability is classified under multiple CWE categories including CWE-23 (Relative Path Traversal), CWE-22 (Path Traversal), and CWE-26 (Path Traversal: '/dir/../filename') (NVD).

The vulnerability enables arbitrary file writing capabilities and can lead to Remote Code Execution (RCE) on the target system. Attackers can exploit this flaw to place malicious desktop entries under the ~/.config/autostart directory, which would execute upon system startup. This presents a significant security risk as it allows attackers to gain unauthorized system access and execute malicious code (Security Online).

Users are strongly advised to update to Deepin-Compressor version 5.12.21 or later, which contains the fix for this vulnerability. The patch implements proper validation of file paths during archive extraction. There are no known workarounds for affected versions (NVD).