[Pkg-javascript-devel] Bug#992111: node-tar: CVE-2021-32804
Salvatore Bonaccorso
carnil at debian.org
Wed Aug 11 20:00:55 BST 2021
Source: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-tar.
CVE-2021-32804[0]:
| The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6,
| 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite
| vulnerability due to insufficient absolute path sanitization. node-tar
| aims to prevent extraction of absolute file paths by turning absolute
| paths into relative paths when the `preservePaths` flag is not set to
| `true`. This is achieved by stripping the absolute path root from any
| absolute file paths contained in a tar file. For example
| `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic
| was insufficient when file paths contained repeated path roots such as
| `////home/user/.bashrc`. `node-tar` would only strip a single path
| root from such paths. When given an absolute file path with repeating
| path roots, the resulting path (e.g. `///home/user/.bashrc`) would
| still resolve to an absolute path, thus allowing arbitrary file
| creation and overwrite. This issue was addressed in releases 3.2.2,
| 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability
| without upgrading by creating a custom `onentry` method which
| sanitizes the `entry.path` or a `filter` method which removes entries
| with absolute paths. See referenced GitHub Advisory for details. Be
| aware of CVE-2021-32803 which fixes a similar bug in later versions of
| tar.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804
[1] https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list