Source: node-tar Version: 6.1.7+~cs11.3.10-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-tar. CVE-2021-37712[0]: | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, | and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code | execution vulnerability. node-tar aims to guarantee that any file | whose location would be modified by a symbolic link is not extracted. | This is, in part, achieved by ensuring that extracted directories are | not symlinks. Additionally, in order to prevent unnecessary stat calls | to determine whether a given path is a directory, paths are cached | when directories are created. This logic was insufficient when | extracting tar files that contained both a directory and a symlink | with names containing unicode values that normalized to the same | value. Additionally, on Windows systems, long path portions would | resolve to the same file system entities as their 8.3 "short path" | counterparts. A specially crafted tar archive could thus include a | directory with one form of the path, followed by a symbolic link with | a different string that resolves to the same file system entity, | followed by a file using the first form. By first creating a | directory, and then replacing that directory with a symlink that had a | different apparent name that resolved to the same entry in the | filesystem, it was thus possible to bypass node-tar symlink checks on | directories, essentially allowing an untrusted tar file to symlink | into an arbitrary location and subsequently extracting arbitrary files | into that location, thus allowing arbitrary file creation and | overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and | 6.1.9. The v3 branch of node-tar has been deprecated and did not | receive patches for these issues. If you are still using a v3 release | we recommend you update to a more recent version of node-tar. If this | is not possible, a workaround is available in the referenced GHSA- | qq89-hq3f-393p. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37712 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712 [1] https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p Please adjust the affected versions in the BTS as needed. Regards, Salvatore
