A vulnerability in the apk-tools package used by Alpine Linux could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability exists because the affected software improperly handles symbolic and hard file links when extracting the contents of an Alpine Package Keeper (APK) file. An attacker could exploit the vulnerability by providing an APK file that submits malicious input to the system via an attacker-controlled package repository or a man-in-the-middle attack. When files are extracted from the APK package, the attacker could manipulate how the affected software handles symbolic and hard file links to create a persistent file in the /etc/apk/commit_hooks.d/ directory that will survive cleanup processes and be executed by the apk process before exiting. A successful exploit could allow the attacker to execute arbitrary code and completely compromise the system.
Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.
The Alpine Linux project confirmed the vulnerability and released software updates.