The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior
to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks
provided by tar output of a malicious container to place a file outside of
the destination directory specified in the kubectl cp invocation. This
could be used to allow an attacker to place a nefarious file using a
symlink, outside of the destination tree.
leosilvakubernates is in fact a kubernetes installer
that calls snap, not the package it self.
Upstream:not-affected (debian: Vulnerable code not present)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):needs-triage
More Information

Updated: 2020-03-18 21:36:07 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)