Source: node-tar-fs
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2024-12905[0]:
| An Improper Link Resolution Before File Access ("Link Following")
| and Improper Limitation of a Pathname to a Restricted Directory
| ("Path Traversal"). This vulnerability occurs when extracting a
| maliciously crafted tar file, which can result in unauthorized file
| writes or overwrites outside the intended extraction directory. The
| issue is associated with index.js in the tar-fs package. This issue
| affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2,
| from 3.0.0 before 3.0.8.
https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
(v3.0.7)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-12905
https://www.cve.org/CVERecord?id=CVE-2024-12905
Please adjust the affected versions in the BTS as needed.
