Your message dated Sun, 08 Mar 2026 11:06:01 +0000
with message-id <[email protected]>
and subject line Bug#1129378: fixed in node-tar 6.2.1+ds1+~cs6.1.13-8
has caused the Debian Bug report #1129378,
regarding node-tar: CVE-2026-26960
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129378: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar
Version: 6.2.1+ds1+~cs6.1.13-7
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tar.
CVE-2026-26960[0]:
| node-tar is a full-featured Tar for Node.js. When using default
| options in versions 7.5.7 and below, an attacker-controlled archive
| can create a hardlink inside the extraction directory that points to
| a file outside the extraction root, enabling arbitrary file read and
| write as the extracting user. Severity is high because the primitive
| bypasses path protections and turns archive extraction into a direct
| filesystem access primitive. This issue has been fixed in version
| 7.5.8.
Note, I was not exacly able to reproduce/verify the issue completely,
but still should apply to all versions before 7.5.8.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26960
https://www.cve.org/CVERecord?id=CVE-2026-26960
[1] https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tar
Source-Version: 6.2.1+ds1+~cs6.1.13-8
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 08 Mar 2026 11:46:04 +0100
Source: node-tar
Architecture: source
Version: 6.2.1+ds1+~cs6.1.13-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1129378
Changes:
node-tar (6.2.1+ds1+~cs6.1.13-8) unstable; urgency=medium
.
* Team upload
* Parse root off paths before sanitizing parts (Closes: CVE-2026-29786)
* Do not write linkpaths through symlinks (Closes: #1129378, CVE-2026-26960)
Checksums-Sha1:
5b18c28ca5877b16570c3a343502928dd6b65361 2711
node-tar_6.2.1+ds1+~cs6.1.13-8.dsc
68ec91964b4966ccab2e06a91d44ed2c641dad04 16284
node-tar_6.2.1+ds1+~cs6.1.13-8.debian.tar.xz
Checksums-Sha256:
6066b3b366192beda04e2f6e78576ff33c9568f3212f5f7f05c1a85bffeb0352 2711
node-tar_6.2.1+ds1+~cs6.1.13-8.dsc
0ac6fda2549981787c6a413f8f2fbbdfadc5c71400db4563517681e947ac8d42 16284
node-tar_6.2.1+ds1+~cs6.1.13-8.debian.tar.xz
Files:
a1f82d3f396ca114398ecad13604f803 2711 javascript optional
node-tar_6.2.1+ds1+~cs6.1.13-8.dsc
282ce324ff3e29659534bea5e4cdcb8e 16284 javascript optional
node-tar_6.2.1+ds1+~cs6.1.13-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmtU9wACgkQ9tdMp8mZ
7ulTEQ/+JffXk8b32WHxTzf8d9WwGQ2LsA5MttQTWdcn8shGUuGbfY5uzDm5IQW9
KDT7/guRx8R8GJ+a8FxePL1CUICFNOHk9xzGmBDUmE59JpgqRHJb7LEtYHF2/X8r
mqVDTeerPj0uSfKuty4Hc5R8GT9quvz9O2nbtRFl0kaDTKZQ9BRe2cjBJFjWUCvH
xsNW6LReYXJ6BogLl2K9hVJFKXZgEIpVzKsL4vj3uJlXwdtp8xbR27+UgDCxNQd1
mwU6nhsHLuEcJngZaRiusqk71aHrX6n5cpqrEJbQWKnS44hxZT//wZjIWLDQvKj1
vWppxlqU9wkZ5B0nHFfPKcEiwADmHDY+K216JpOut3qSTvTeAeFzYmVj7LAJTXk2
Na16thSJg/b1VrZjuxu64En+fmDeY21tgksZLa8McWxLv5ittZ1dslEbDlRRiZFC
vc+K+3KEXgq0C9AHg5MOQ1vVJKVsG2qN3OrVOHX/8B4FI5HDHSucSKUD3AM0+Nc3
fjlGn2zXZfX0UGNtJttwLoVIllZ6bbFgFkjy0MWg55IMFJ9RYyH7XZDK5T5g9Yh5
BIRBLTGVih6TlZCSap2KdfRSW7vdRcUtpZYL5CmnZgh72SOQj7DZEsxL+qLbAY+I
YVvYIIocB17pW/rVccyIE5WArgqg39d0sqRty5t7TejATHSPEcY=
=AuNZ
-----END PGP SIGNATURE-----
pgp_qs6yMk5XK.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
