Source: node-tar
Version: 7.5.16+~4.0.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for node-tar.
CVE-2026-59871[0]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.18, node-tar coerces all-digit PAX path and linkpath values in
| src/pax.ts to JavaScript numbers, causing downstream path handling
| such as normalizeWindowsPath(entry.path).split('/') to throw an
| uncaught TypeError. This issue is fixed in version 7.5.18.
CVE-2026-59873[1]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.19, node-tar does not enforce hard upper bounds on total
| decompressed data, entry counts, or decompression ratio in
| extraction and parsing paths such as src/extract.ts, allowing a
| small crafted gzip bomb to exhaust disk space and CPU. This issue is
| fixed in version 7.5.19.
CVE-2026-59874[2]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.18, tar.replace accepts a checksum-valid tar header with a
| negative base-256 encoded entry size, causing the archive scanner to
| make no progress while repeatedly parsing the same header. This
| issue is fixed in version 7.5.18.
CVE-2026-59875[3]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath
| records in src/pax.ts, allowing a crafted archive with values to
| reach fs.lstat or fs.open and terminate the process with an uncaught
| exception. This issue is fixed in version 7.5.17.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-59871
https://www.cve.org/CVERecord?id=CVE-2026-59871
[1] https://security-tracker.debian.org/tracker/CVE-2026-59873
https://www.cve.org/CVERecord?id=CVE-2026-59873
[2] https://security-tracker.debian.org/tracker/CVE-2026-59874
https://www.cve.org/CVERecord?id=CVE-2026-59874
[3] https://security-tracker.debian.org/tracker/CVE-2026-59875
https://www.cve.org/CVERecord?id=CVE-2026-59875
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel