Skip to content

Add advisory for boxlite (GHSA-f396-4rp4-7v2j / CVE-2026-46703)#2900

Merged
djc merged 1 commit into
rustsec:mainfrom
DorianZheng:boxlite-f396
May 20, 2026
Merged

Add advisory for boxlite (GHSA-f396-4rp4-7v2j / CVE-2026-46703)#2900
djc merged 1 commit into
rustsec:mainfrom
DorianZheng:boxlite-f396

Conversation

@DorianZheng

@DorianZheng DorianZheng commented May 20, 2026

Copy link
Copy Markdown
Contributor

OCI layer symlink escape → arbitrary host write in boxlite and its CLI front-end boxlite-cli. Fixed in 0.9.0 (2026-05-03), published 2026-05-16.

Advisory CVE Crate(s) Affected Patched
GHSA-f396-4rp4-7v2j CVE-2026-46703 boxlite, boxlite-cli < 0.9.0 0.9.0

The vulnerable extractor lives in the boxlite core crate; boxlite-cli depends on it, so both are affected. The GitHub advisory has structured rows for pip / npm / go / rust (both crates); this PR mirrors that into RustSec for cargo audit.

Companion to #2899 (GHSA-g6ww-w5j2-r7x3). Filed under the post-disclosure crate-author path per CONTRIBUTING. Split from the original PR per @djc's feedback.

@DorianZheng DorianZheng mentioned this pull request May 20, 2026
Merged
djc
djc reviewed May 20, 2026
View reviewed changes
Comment thread crates/boxlite-cli/RUSTSEC-0000-0000.md Outdated
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "boxlite-cli"

@djc djc May 20, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think there's any point to doing this for both crates. Any dependency graph including boxlite-cli will also include boxlite, so it should be called out anyway by the tools.

Comment thread crates/boxlite/RUSTSEC-0000-0000.md Outdated
Comment on lines +40 to +41
**Patched in:** 0.9.0.
**Upgrade path:** there is no workaround; upgrade to `boxlite >= 0.9.0`.

@djc djc May 20, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this adds much value -- should be obvious from the metadata.

@DorianZheng
Add advisory for boxlite (GHSA-f396-4rp4-7v2j / CVE-2026-46703)
6cf8a41 
OCI layer symlink escape → arbitrary host write. Fixed in boxlite 0.9.0
(2026-05-03), published 2026-05-16.

Filed under the post-disclosure crate-author path per CONTRIBUTING.md.
Single entry on the boxlite crate; boxlite-cli inherits via dependency
graph, per @djc's review feedback.
@DorianZheng DorianZheng changed the title Add advisory for boxlite + boxlite-cli (GHSA-f396-4rp4-7v2j / CVE-2026-46703) Add advisory for boxlite (GHSA-f396-4rp4-7v2j / CVE-2026-46703) May 20, 2026
@DorianZheng

DorianZheng commented May 20, 2026

Copy link
Copy Markdown
Contributor Author

Thanks @djc — both points applied:

  1. Dropped crates/boxlite-cli/RUSTSEC-0000-0000.md entirely; cargo audit will surface boxlite-cli consumers through the dependency graph from the single boxlite entry.
  2. Removed the trailing **Patched in:** / **Upgrade path:** prose — already in [versions] patched.

Applied the same two fixes pre-emptively to the companion PR #2899 (GHSA-g6ww-w5j2-r7x3) for consistency.

@djc djc merged commit c6c6bfb into rustsec:main May 20, 2026
1 check passed
@DorianZheng DorianZheng deleted the boxlite-f396 branch May 20, 2026 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djc djc djc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DorianZheng @djc