Your message dated Fri, 10 Jul 2026 08:20:32 +0000
with message-id <[email protected]>
and subject line Bug#1141767: fixed in node-tar 7.5.19+~4.0.1-1
has caused the Debian Bug report #1141767,
regarding node-tar: CVE-2026-59871 CVE-2026-59873 CVE-2026-59874 CVE-2026-59875
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141767
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar
Version: 7.5.16+~4.0.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for node-tar.

CVE-2026-59871[0]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.18, node-tar coerces all-digit PAX path and linkpath values in
| src/pax.ts to JavaScript numbers, causing downstream path handling
| such as normalizeWindowsPath(entry.path).split('/') to throw an
| uncaught TypeError. This issue is fixed in version 7.5.18.


CVE-2026-59873[1]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.19, node-tar does not enforce hard upper bounds on total
| decompressed data, entry counts, or decompression ratio in
| extraction and parsing paths such as src/extract.ts, allowing a
| small crafted gzip bomb to exhaust disk space and CPU. This issue is
| fixed in version 7.5.19.


CVE-2026-59874[2]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.18, tar.replace accepts a checksum-valid tar header with a
| negative base-256 encoded entry size, causing the archive scanner to
| make no progress while repeatedly parsing the same header. This
| issue is fixed in version 7.5.18.


CVE-2026-59875[3]:
| node-tar is a tar archive manipulation library for Node.js. Prior to
| 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath
| records in src/pax.ts, allowing a crafted archive with values to
| reach fs.lstat or fs.open and terminate the process with an uncaught
| exception. This issue is fixed in version 7.5.17.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-59871
    https://www.cve.org/CVERecord?id=CVE-2026-59871
[1] https://security-tracker.debian.org/tracker/CVE-2026-59873
    https://www.cve.org/CVERecord?id=CVE-2026-59873
[2] https://security-tracker.debian.org/tracker/CVE-2026-59874
    https://www.cve.org/CVERecord?id=CVE-2026-59874
[3] https://security-tracker.debian.org/tracker/CVE-2026-59875
    https://www.cve.org/CVERecord?id=CVE-2026-59875

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: node-tar
Source-Version: 7.5.19+~4.0.1-1
Done: Xavier Guimard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Jul 2026 09:42:21 +0200
Source: node-tar
Architecture: source
Version: 7.5.19+~4.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1141767
Changes:
 node-tar (7.5.19+~4.0.1-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version 7.5.19+~4.0.1 (Closes: #1141767, CVE-2026-59871,
     CVE-2026-59873, CVE-2026-59874, CVE-2026-59875)
Checksums-Sha1: 
 a1225839820b3c0d9b41d3f09a5ccdaf23e3fd88 2437 node-tar_7.5.19+~4.0.1-1.dsc
 3255b25ad5fde20429f5526179115e66da6ae8fe 6347 
node-tar_7.5.19+~4.0.1.orig-isaacs-fs-minipass.tar.gz
 f2722f613764bbf382eb3c561ed7b63ee5ecf18c 205253 
node-tar_7.5.19+~4.0.1.orig.tar.gz
 7e3ca04ad79e14b1e4c46dd6386197e77aa279da 14752 
node-tar_7.5.19+~4.0.1-1.debian.tar.xz
Checksums-Sha256: 
 071cc0a5560ccb08b97d4648b246f201bec927ee9993d91e66f89111de03691f 2437 
node-tar_7.5.19+~4.0.1-1.dsc
 c312189122ddb0c2f9aaeffbbcddb4015171539214ac589e56d7c72da261e4c7 6347 
node-tar_7.5.19+~4.0.1.orig-isaacs-fs-minipass.tar.gz
 babeddb9f51df606026d5d3da8afd7c3d71cb2dafeb4fc04b98f5c7a4599e5d8 205253 
node-tar_7.5.19+~4.0.1.orig.tar.gz
 9a2f1993e68baaa96f70eec2112c0eb8602b33101df4f54dea5efa0cd0052fad 14752 
node-tar_7.5.19+~4.0.1-1.debian.tar.xz
Files: 
 87dfc3547c5dcf1a52823458fee1d676 2437 javascript optional 
node-tar_7.5.19+~4.0.1-1.dsc
 94e9f0f8c8e8192f6fa6ecf41b4d2bc3 6347 javascript optional 
node-tar_7.5.19+~4.0.1.orig-isaacs-fs-minipass.tar.gz
 5aa98c507f1b948d1b7bac0b222a84f5 205253 javascript optional 
node-tar_7.5.19+~4.0.1.orig.tar.gz
 3d0bee102a722892319e5f374358f9de 14752 javascript optional 
node-tar_7.5.19+~4.0.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmpQorsACgkQ9tdMp8mZ
7un8Og/+KAoaBdQxX/VSMGh642ruiD+wphNQBhWFbTXf9Dd1zLSjlJac+FWaRrYx
hKG59jvJioelMren/wAxJ7Cwukalqoa0d1UgA1mn741qGpcDGJK89DkHZDisF/69
tQdAewqCRO29zWSPr0qp2jY1MoBvTv8M1anRgWpnZ993YsPUaZ7au96bhn3vsHuk
837tgyjNw1XjaOgJkTs6pNagA2HFZRcADFOJDBBtifMtd7sVhrX2iSQOhukP5JxX
P3B7K7pg9JN8U9emVetcMAgIT7Mx3M+8EaTcfs6feHcMW4rrQEb09T/IpC5M3R8c
/g+pus52oGrEvSYcteiVo1xb0irulvoPARSJp8lgsiFxV89oZMT20jEn1+72bkKM
BmD8lA9npQs/IV6HgVyMUAVoE0pZceULWjoZmIwEiB3Zw1BPtc+VHGQgrZ41TsIY
Qs4G0divp6eNU1DwkzqoysWMDIB8xcar7QozN07ohtBKNT3wnXA0oEm+KGXBL13j
zjA7ydiIEa690+oexvVr/yHY3P/4LIVkAIzSKAtfBLWi4p+ZLmDruXshl9ZoUOns
yJjCsYtMayw6icuvWefiuK9Jb4GySr5fB849i84R+Dobcmj+J5j20DaKPYDvZF2T
psVLNXUbwos276Bd9T58r1p6pEdYkQrrEtSm9Krq2WAAx+8hGfQ=
=aqQk
-----END PGP SIGNATURE-----

Attachment: pgpL9jW7S7Qqk.pgp
Description: PGP signature


--- End Message ---
-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to