Your message dated Fri, 01 Oct 2021 18:47:23 +0000
with message-id <[email protected]>
and subject line Bug#992110: fixed in node-tar 4.4.6+ds1-3+deb10u1
has caused the Debian Bug report #992110,
regarding node-tar: CVE-2021-32803
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992110
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tar.
CVE-2021-32803[0]:
| The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7,
| 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite
| vulnerability via insufficient symlink protection. `node-tar` aims to
| guarantee that any file whose location would be modified by a symbolic
| link is not extracted. This is, in part, achieved by ensuring that
| extracted directories are not symlinks. Additionally, in order to
| prevent unnecessary `stat` calls to determine whether a given path is
| a directory, paths are cached when directories are created. This logic
| was insufficient when extracting tar files that contained both a
| directory and a symlink with the same name as the directory. This
| order of operations resulted in the directory being created and added
| to the `node-tar` directory cache. When a directory is present in the
| directory cache, subsequent calls to mkdir for that directory are
| skipped. However, this is also where `node-tar` checks for symlinks
| occur. By first creating a directory, and then replacing that
| directory with a symlink, it was thus possible to bypass `node-tar`
| symlink checks on directories, essentially allowing an untrusted tar
| file to symlink into an arbitrary location and subsequently extracting
| arbitrary files into that location, thus allowing arbitrary file
| creation and overwrite. This issue was addressed in releases 3.2.3,
| 4.4.15, 5.0.7 and 6.1.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803
[1] https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tar
Source-Version: 4.4.6+ds1-3+deb10u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Aug 2021 00:06:36 +0200
Source: node-tar
Architecture: source
Version: 4.4.6+ds1-3+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 992110 992111
Changes:
node-tar (4.4.6+ds1-3+deb10u1) buster; urgency=medium
.
* Team upload
* Remove paths from dirCache when no longer dirs
(Closes: #992110, CVE-2021-32803)
* Strip absolute paths more comprehensively
(Closes: #992111, CVE-2021-32804)
Checksums-Sha1:
da1f8deffd868192bbda80f27a42747ecd0b59ad 2956 node-tar_4.4.6+ds1-3+deb10u1.dsc
6e7293a9641001a819a8c806e91dfdf543534ba6 8376
node-tar_4.4.6+ds1-3+deb10u1.debian.tar.xz
Checksums-Sha256:
4daa279d22721bfe8ef67fead985f81c016fbb43af4999dec18cfa6c0e92ec26 2956
node-tar_4.4.6+ds1-3+deb10u1.dsc
bd51020727d1de9ecc983fd63d456dd5d8bde15a00f3d1b473837aead87c3b8a 8376
node-tar_4.4.6+ds1-3+deb10u1.debian.tar.xz
Files:
6535434262360ad19b75305b9da1330b 2956 javascript optional
node-tar_4.4.6+ds1-3+deb10u1.dsc
d85bb40a764f0ef4ae9b603d5ac02683 8376 javascript optional
node-tar_4.4.6+ds1-3+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmFWj+cACgkQ9tdMp8mZ
7unqmA/+N0+pTwoTZdRAAG4+5LgaSk57CR2XqS2CeuiE1vsfY4iKFTZOYb2wTdXL
dEP7AtdU9jbWPb6odVu1cAObQxcQBBX7yvvnLxPYqPY91Q23/U28nx5NxqKswE43
MUKmWezV0HUxW0GkRFWv5r6o9ha8exyImSiRE0QF2fEP1pfgryt32JcOXfyaFUFn
AlRWSDPVVf6b5ANVhQujglFqjq5W73XG47uK7gyeguWfFPzl5sGOPxFTSj5YOiFr
Ikr4O6T7MbU0bzkgiFZI5zrgqcxt41noHq9VpqJFJjT7ti4L9FrYjP18pMyPGT+B
/ApBKVzh4RiYM9reWOAwr4Bnkl6Q89+z7rd9nmhIvrVdFo4Ps4uxK8yEmeEnJH1W
iYiSVivQTDCfYQLfqF17kDxGok5kq8g/NUuab4jdQJCpZjE7xs304w9oHtlr1C97
s59UnOPbgWO5Xe5xm/O4elSYWjMubh0H21acpmaHEiqTXZtto2T1Fu7q1WRLDk4N
FU3CCSELbZG7JtumQg/27fg+BjHx4e8yjnX9pUTWahH6agt84mV+QlWsWPrTFwwt
H0yhO3Dc90xuUIHBKdFuo3WJSAxy2tU6sO0fWdCSlAQ5S89xKcmC2qfzE4cp4OYc
i9iI19njaioePomutl3D/XyrHGtjn+WGnZUySq7kcLHltTaLdwg=
=frvE
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
