Your message dated Sun, 30 Mar 2025 20:55:15 +0000
with message-id <e1tyzgz-00e2o8...@fasolo.debian.org>
and subject line Bug#1101501: fixed in node-tar-fs 3.0.8+~cs2.0.4-1
has caused the Debian Bug report #1101501,
regarding node-tar-fs: CVE-2024-12905
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1101501: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101501
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-tar-fs
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2024-12905[0]:
| An Improper Link Resolution Before File Access ("Link Following")
| and Improper Limitation of a Pathname to a Restricted Directory
| ("Path Traversal"). This vulnerability occurs when extracting a
| maliciously crafted tar file, which can result in unauthorized file
| writes or overwrites outside the intended extraction directory. The
| issue is associated with index.js in the tar-fs package. This issue
| affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2,
| from 3.0.0 before 3.0.8.
https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
(v3.0.7)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-12905
https://www.cve.org/CVERecord?id=CVE-2024-12905
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-tar-fs
Source-Version: 3.0.8+~cs2.0.4-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-tar-fs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1101...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-tar-fs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 30 Mar 2025 21:36:46 +0200
Source: node-tar-fs
Architecture: source
Version: 3.0.8+~cs2.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1101501
Changes:
node-tar-fs (3.0.8+~cs2.0.4-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* New upstream version (Closes: #1101501, CVE-2024-12905)
* Update test
Checksums-Sha1:
6e67cf4e7df68464abf5fbc1ddf18f27397622fa 2525 node-tar-fs_3.0.8+~cs2.0.4-1.dsc
7c7502d281d436db0ad0f78282acef71da02a292 2030
node-tar-fs_3.0.8+~cs2.0.4.orig-types-tar-fs.tar.gz
dd917f08b848b90d8a36135fde0d7ad7bb0935eb 8410
node-tar-fs_3.0.8+~cs2.0.4.orig.tar.gz
68406d5b4fa46c4a8d275656a3cddfafdf5414e2 35128
node-tar-fs_3.0.8+~cs2.0.4-1.debian.tar.xz
Checksums-Sha256:
01b5f870ff49d02345fe0f19393330ed91db7064094cf3359a025052c326f179 2525
node-tar-fs_3.0.8+~cs2.0.4-1.dsc
e1605173a3c96d4ec6eb6b2e5133f2922974ea5f9a88064b73f84418f55fb68a 2030
node-tar-fs_3.0.8+~cs2.0.4.orig-types-tar-fs.tar.gz
712135dc55e613677213552cdb4363b662ffb93e66a74c2e10894057d06e9f07 8410
node-tar-fs_3.0.8+~cs2.0.4.orig.tar.gz
b250bdfc4855f591f436efef6063a3c43af69e9e4fc928b9b760ec06bf4a30cc 35128
node-tar-fs_3.0.8+~cs2.0.4-1.debian.tar.xz
Files:
07e609c86a92210b0fe2d7cb76d1bac8 2525 javascript optional
node-tar-fs_3.0.8+~cs2.0.4-1.dsc
a3378715663e617e26dd24772001190c 2030 javascript optional
node-tar-fs_3.0.8+~cs2.0.4.orig-types-tar-fs.tar.gz
5b8d69cd54c82feddef6c59a6ad3741a 8410 javascript optional
node-tar-fs_3.0.8+~cs2.0.4.orig.tar.gz
d6cd62e10034f81055c9609c48d2af8d 35128 javascript optional
node-tar-fs_3.0.8+~cs2.0.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmfpnc8ACgkQ9tdMp8mZ
7unLkw//XLX68fBX/1hgHB+NeAeDQB4voIDwTCPhQ5rwzhq2qfK+mbR4a+UBu7rp
QQALc6yTn9iGHj9Aqu2P2ykPqrr29nR1V24BFG2BK8s13BfBKyOjNV6S0oAsi8QD
nvhncAK9HzGZBOwEG7OTmVTUxKgZo2BtM3bD8ONTj2vnc8JpkOf7KejlEjRQvChc
sR31c0ED3bl6Fiwa9NAXEykjnlZ4+cKXbwKnzDibLsYvThOiEDtVe6An8vDM+WYR
JklmzGUH8F15EIK88sqw/uooiTCKIMmUNxSZG/qr1VAwsUAMwA9BPzC29JLAwXxO
vYAKwHUIRy3vnSmCHTBOqZ0dVtmAjTxYRvSDGrFWpEBaSE7fth6EsanvXSTMKj0W
Z3e+lcAZ2ayMxpvE3Vzy4TDie12q6oO2kk1XA0x1nVr60wpgBGT/tUjG8S6qu6Nc
8mk8m2dVPk7YOSwAZ8zlWehNSKTqPdFClwdi25gZzXoc349B23goWItpdAuPxRA+
p0XnLuPEld6ajeT7y1I492+4vs2N2lfNKE4qk+4h4MzTMHe5Ucytwbx2p4bTa+aY
FlY4ViRR+dP9eGWP7fjpO17lPB4FlFhvfprCKFGG/S2JoGSg5isCoyYO/AwbzU1e
y8Ov2Jmmb8gwKQ1V3yhkjIAjvXradFKgHHWuJRir7pANcblDL1A=
=x/6m
-----END PGP SIGNATURE-----
pgpKPzCU6VDqQ.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
