Control: tags -1 + confirmed On Wed, 2026-06-24 at 16:08 +0200, Daniel Leidert wrote: > node-tar in Bookworm is vulnerable to multiple CVEs. > > - CVE-2024-28863: excessive memory consumption > - CVE-2026-23745: sanitize absolute linkpaths properly > (the fix opens CVE-2026-24842 and CVE-2026-31802) > - CVE-2026-26960: do not write linkpaths through symlinks > - CVE-2026-29786: parse root off paths before sanitizing parts > > By fixing CVE-2026-23745, it becomes necessary to fix CVE-2026-24842 > and CVE-2026-31802 as well, because the fix introduces the vulnerable > code for these issues:
Please go ahead. Regards, Adam

