CVE-2024-1485: 
NixOS vulnerability analysis and mitigation

CVE-2024-1485 is a vulnerability discovered in the decompression function of registry-support. The vulnerability was reported on February 13, 2024, and affects the registry-support library versions prior to 0.0.0-20240206. The flaw allows an unauthenticated remote attacker to trick a user into parsing a devfile that uses the 'parent' or 'plugin' keywords, which could lead to unauthorized file manipulation (NVD, GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22 and CWE-23) where the decompression function fails to properly validate user-supplied data. The flaw specifically occurs when processing .tar archives, where the cleanup process incorrectly handles relative paths, potentially allowing operations outside the intended directory scope. The vulnerability has received a CVSS v3.1 base score of 9.3 (Critical) from NIST and 8.0 (High) from Red Hat, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow attackers to overwrite or delete files outside of the intended archive directory. This poses a significant risk as it could lead to unauthorized file system modifications beyond the intended scope of the application (Red Hat Bugzilla).

The vulnerability has been patched in version 0.0.0-20240206 of registry-support. The fix involves implementing proper path cleaning functionality that ensures no filepath can leave the confines of its parent directory by escaping out. The patch adds a leading slash to all filepaths before the cleaning process and removes any redundant double slashes (Registry Support Commit).