github.com/sassoftware/go-rpmutils is vulnerable to arbitrary file write. The vulnerability exists as the extract function in cpio/extract_test.go
does not restrict the filepath
path to the dest
, allowing extraction outside the permitted cpio path.