Update to SharpCompress 0.30.0 due to CVE-2021-39208

[Mario-Hofstaetter]

We have been alerted by our Dependency-Track server that

<PackageReference Include="SharpCompress" Version="0.23.0" />

currently used by Ductus.FluentDocker is affected by CVE-2021-39208.

See also https://nvd.nist.gov/vuln/detail/CVE-2021-39208 This has been fixed in SharpCompress >= 0.29.0.

While this is low in Impact (CVSS Base Score 4.3) @mariotoffia please consider upgrading the dependency, because users of your library need to security audit this.

There was an automatic PR https://github.com/mariotoffia/FluentDocker/pull/213 for this, but the SharpCompress release notes did not even mention the CVE.

Thanks ❤️

[mariotoffia]

Hi @Mario-Hofstaetter and thanks for this issue - It seems that it is when you use this on a "unknown" archive that could go outside your "sandbox". I use sharp-compress to create archives so it does not affect fluentdocker.

Having said that I do understand that I need to fix it so FluentDocker do not get blacklisted or if someone uses this as transient dependency for their own purpose.

I'll fix it - but it is not a straight off fix since it breaks the build on something...

Cheers, Mario :)

[Mario-Hofstaetter]

Thanks for looking into it!

I did look into the code and saw sharpcompress is hardly used anyway, only inside of CompressionExtensions.UnTar ? Which only seems to be used in

public static IContainerService Export(this IContainerService service, TemplateString fqPath, bool explode = false,
      bool throwOnError = false)

if explode is set to true .

That however sounds like extracting an archive, rather than creating one?

It did consider forking and just uncommenting that code until the dependency is updated but until now was too lazy to do so 😅

Maybe there is a .NET native way to extract a tar so the SharpCompress dependency could be dropped completely.