[Pkg-javascript-devel] Bug#992110: node-tar: CVE-2021-32803
Salvatore Bonaccorso
carnil at debian.org
Wed Aug 11 20:00:11 BST 2021
Source: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-tar.
CVE-2021-32803[0]:
| The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7,
| 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite
| vulnerability via insufficient symlink protection. `node-tar` aims to
| guarantee that any file whose location would be modified by a symbolic
| link is not extracted. This is, in part, achieved by ensuring that
| extracted directories are not symlinks. Additionally, in order to
| prevent unnecessary `stat` calls to determine whether a given path is
| a directory, paths are cached when directories are created. This logic
| was insufficient when extracting tar files that contained both a
| directory and a symlink with the same name as the directory. This
| order of operations resulted in the directory being created and added
| to the `node-tar` directory cache. When a directory is present in the
| directory cache, subsequent calls to mkdir for that directory are
| skipped. However, this is also where `node-tar` checks for symlinks
| occur. By first creating a directory, and then replacing that
| directory with a symlink, it was thus possible to bypass `node-tar`
| symlink checks on directories, essentially allowing an untrusted tar
| file to symlink into an arbitrary location and subsequently extracting
| arbitrary files into that location, thus allowing arbitrary file
| creation and overwrite. This issue was addressed in releases 3.2.3,
| 4.4.15, 5.0.7 and 6.1.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803
[1] https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list