[SECURITY] [DLA 4552-1] node-tar security update

[Daniel Leidert]

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4552-1                debian-...@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
April 29, 2026                                https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : node-tar
Version        : 6.0.5+ds1+~cs11.3.9-1+deb11u3
CVE ID         : CVE-2024-28863 CVE-2026-23745 CVE-2026-24842 CVE-2026-26960 
                 CVE-2026-29786 CVE-2026-31802

Multiple vulnerabilities have been discovered in node-tar, a Node.js
module to read and write portable tar archives.

CVE-2024-28863

   Generating a large number of sub-folders can consume memory on the
   system and even crash the Node.js client within a few seconds using
   a path with too many sub-folders inside.

CVE-2026-23745

   When preservePaths is false, the linkpath of Link (hardlink) and
   SymbolicLink entries fail to be sanitized, allowing malicious
   archives to bypass the extraction root restriction, leading to
   arbitrary file overwrites via hardlinks and symlink poisoning via
   absolute symlink targets.
   
   The fix for this issue introduces multiple of the following
   vulnerabilties.

CVE-2026-24842

   The security check for hardlink entries allows an attacker to craft
   a malicious TAR archive that bypasses path traversal protections and
   creates hardlinks to arbitrary files outside the extraction
   directory.

CVE-2026-26960

   An attacker-controlled archive can create a hardlink inside the
   extraction directory that points to a file outside the extraction
   root, enabling arbitrary file read and write as the extracting user.

CVE-2026-29786

   An attacker-controlled archive can create a hardlink that points
   outside the extraction directory by using a drive-relative link
   target. 

CVE-2026-31802

   An attacker-controlled archive can create a hardlink that points
   outside the extraction directory by using a drive-relative link
   target.


For Debian 11 bullseye, these problems have been fixed in version
6.0.5+ds1+~cs11.3.9-1+deb11u3.

We recommend that you upgrade your node-tar packages.

For the detailed security status of node-tar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-tar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

signature.asc
Description: This is a digitally signed message part