Overview

File CVE-2025-53547.patch of Package trivy

From 00de613324df4dd930e6d231d9aae7f9dee29c76 Mon Sep 17 00:00:00 2001
From: Matt Farina <matt.farina@suse.com>
Date: Wed, 2 Jul 2025 15:10:04 -0400
Subject: [PATCH] Updating link handling

Signed-off-by: Matt Farina <matt.farina@suse.com>
(cherry picked from commit 76fdba4c8c2a4829a6b7abb48a08e51fd07fa0b3)
(cherry picked from commit 4389fa639a4d8e6836fa8df9bb70dd69c2820c12)
---
 pkg/downloader/manager.go      | 14 +++++
 pkg/downloader/manager_test.go | 94 ++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)

diff --git a/pkg/downloader/manager.go b/pkg/downloader/manager.go
index ec4056d2753..cc7850aae4b 100644
--- a/pkg/downloader/manager.go
+++ b/pkg/downloader/manager.go
@@ -852,6 +852,20 @@ func writeLock(chartpath string, lock *chart.Lock, legacyLockfile bool) error {
 		lockfileName = "requirements.lock"
 	}
 	dest := filepath.Join(chartpath, lockfileName)
+
+	info, err := os.Lstat(dest)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("error getting info for %q: %w", dest, err)
+	} else if err == nil {
+		if info.Mode()&os.ModeSymlink != 0 {
+			link, err := os.Readlink(dest)
+			if err != nil {
+				return fmt.Errorf("error reading symlink for %q: %w", dest, err)
+			}
+			return fmt.Errorf("the %s file is a symlink to %q", lockfileName, link)
+		}
+	}
+
 	return os.WriteFile(dest, data, 0644)
 }
openSUSE Build Service is sponsored by
Places