Source: node-tar Version: 6.0.5+ds1+~cs11.3.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-tar. CVE-2021-32804[0]: | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, | 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite | vulnerability due to insufficient absolute path sanitization. node-tar | aims to prevent extraction of absolute file paths by turning absolute | paths into relative paths when the `preservePaths` flag is not set to | `true`. This is achieved by stripping the absolute path root from any | absolute file paths contained in a tar file. For example | `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic | was insufficient when file paths contained repeated path roots such as | `////home/user/.bashrc`. `node-tar` would only strip a single path | root from such paths. When given an absolute file path with repeating | path roots, the resulting path (e.g. `///home/user/.bashrc`) would | still resolve to an absolute path, thus allowing arbitrary file | creation and overwrite. This issue was addressed in releases 3.2.2, | 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability | without upgrading by creating a custom `onentry` method which | sanitizes the `entry.path` or a `filter` method which removes entries | with absolute paths. See referenced GitHub Advisory for details. Be | aware of CVE-2021-32803 which fixes a similar bug in later versions of | tar. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32804 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804 [1] https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore