[Pkg-javascript-devel] Bug#993981: node-tar: CVE-2021-37712
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 9 09:45:52 BST 2021
Source: node-tar
Version: 6.1.7+~cs11.3.10-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-tar.
CVE-2021-37712[0]:
| The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10,
| and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code
| execution vulnerability. node-tar aims to guarantee that any file
| whose location would be modified by a symbolic link is not extracted.
| This is, in part, achieved by ensuring that extracted directories are
| not symlinks. Additionally, in order to prevent unnecessary stat calls
| to determine whether a given path is a directory, paths are cached
| when directories are created. This logic was insufficient when
| extracting tar files that contained both a directory and a symlink
| with names containing unicode values that normalized to the same
| value. Additionally, on Windows systems, long path portions would
| resolve to the same file system entities as their 8.3 "short path"
| counterparts. A specially crafted tar archive could thus include a
| directory with one form of the path, followed by a symbolic link with
| a different string that resolves to the same file system entity,
| followed by a file using the first form. By first creating a
| directory, and then replacing that directory with a symlink that had a
| different apparent name that resolved to the same entry in the
| filesystem, it was thus possible to bypass node-tar symlink checks on
| directories, essentially allowing an untrusted tar file to symlink
| into an arbitrary location and subsequently extracting arbitrary files
| into that location, thus allowing arbitrary file creation and
| overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and
| 6.1.9. The v3 branch of node-tar has been deprecated and did not
| receive patches for these issues. If you are still using a v3 release
| we recommend you update to a more recent version of node-tar. If this
| is not possible, a workaround is available in the referenced GHSA-
| qq89-hq3f-393p.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-37712
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712
[1] https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list