[Pkg-javascript-devel] Bug#1107568: bookworm-pu: package node-tar-fs/2.1.3-0+deb12u1
Adrian Bunk
bunk at debian.org
Mon Jun 9 21:27:12 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: security at debian.org, Debian Javascript Maintainers <pkg-javascript-devel at lists.alioth.debian.org>
* New upstream release.
- CVE-2024-12905: symlink path traversal (Closes: #1101501)
- CVE-2025-48387: hardlink path traversal
The two new upstream releases contain each just one CVE fix.
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
-------------- next part --------------
diffstat for node-tar-fs-2.1.1 node-tar-fs-2.1.3
debian/changelog | 9 +++++++++
index.js | 19 +++++++++++++------
package.json | 2 +-
test/index.js | 2 +-
4 files changed, 24 insertions(+), 8 deletions(-)
diff -Nru node-tar-fs-2.1.1/debian/changelog node-tar-fs-2.1.3/debian/changelog
--- node-tar-fs-2.1.1/debian/changelog 2021-11-02 18:56:17.000000000 +0200
+++ node-tar-fs-2.1.3/debian/changelog 2025-06-09 22:02:36.000000000 +0300
@@ -1,3 +1,12 @@
+node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream release.
+ - CVE-2024-12905: symlink path traversal (Closes: #1101501)
+ - CVE-2025-48387: hardlink path traversal
+
+ -- Adrian Bunk <bunk at debian.org> Mon, 09 Jun 2025 22:02:36 +0300
+
node-tar-fs (2.1.1-6) unstable; urgency=medium
* Team upload
diff -Nru node-tar-fs-2.1.1/index.js node-tar-fs-2.1.3/index.js
--- node-tar-fs-2.1.1/index.js 2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/index.js 2025-05-22 22:22:41.000000000 +0300
@@ -260,6 +260,9 @@
var onsymlink = function () {
if (win32) return next() // skip symlinks on win for now before it can be tested
xfs.unlink(name, function () {
+ var dst = path.resolve(path.dirname(name), header.linkname)
+ if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid symlink'))
+
xfs.symlink(header.linkname, name, stat)
})
}
@@ -269,13 +272,17 @@
xfs.unlink(name, function () {
var srcpath = path.join(cwd, path.join('/', header.linkname))
- xfs.link(srcpath, name, function (err) {
- if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
- stream = xfs.createReadStream(srcpath)
- return onfile()
- }
+ xfs.realpath(srcpath, function (err, dst) {
+ if (err || !dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid hardlink'))
+
+ xfs.link(dst, name, function (err) {
+ if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+ stream = xfs.createReadStream(srcpath)
+ return onfile()
+ }
- stat(err)
+ stat(err)
+ })
})
})
}
diff -Nru node-tar-fs-2.1.1/package.json node-tar-fs-2.1.3/package.json
--- node-tar-fs-2.1.1/package.json 2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/package.json 2025-05-22 22:22:41.000000000 +0300
@@ -1,6 +1,6 @@
{
"name": "tar-fs",
- "version": "2.1.1",
+ "version": "2.1.3",
"description": "filesystem bindings for tar-stream",
"dependencies": {
"chownr": "^1.1.1",
diff -Nru node-tar-fs-2.1.1/test/index.js node-tar-fs-2.1.3/test/index.js
--- node-tar-fs-2.1.1/test/index.js 2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/test/index.js 2025-05-22 22:22:41.000000000 +0300
@@ -304,7 +304,7 @@
fs.createReadStream(a)
.pipe(tar.extract(out))
.on('error', function (err) {
- t.ok(/is not a valid path/i.test(err.message))
+ t.ok(/is not a valid symlink/i.test(err.message))
fs.stat(path.join(out, '../bar'), function (err) {
t.ok(err)
t.end()
More information about the Pkg-javascript-devel
mailing list