melange: Incomplete package integrity verification allows data section substitution
High severity
GitHub Reviewed
Published
Jun 3, 2026
in
chainguard-dev/melange
•
Updated Jul 10, 2026
Description
Published to the GitHub Advisory Database
Jul 10, 2026
Reviewed
Jul 10, 2026
Last updated
Jul 10, 2026
Previously, Apko verified the control section hash (
.PKGINFOetc.) against the signedAPKINDEX, but never verified the data section hash (the actual package files that get installed). An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file contents while the control hash check still passed.References