Updates get MitM'd by middleboxes (using shitty certs) all the time. This is why update packages are digitally signed and why many vendors simply use plain HTTP for delivery.

Yet for some reason Crowd Strike marked this as high severity with a CVSS vector indicating MitM -> full system compromise...

CVE-2025-1146

@buherator [This is pure speculation, based on unverified assumptions]

It could be a case of signature is in the archive and signs its content, not the archive? apk had that problem some years ago. You could simply add files to the archive, and those extra files would be extracted, and remain in the root fs.

@schrotthaufen That would mean there is an unrelated problem in the signing process that would deserve a separate CVE/advisory.

@buherator Fair enough.