Your message dated Sat, 02 Oct 2021 11:02:08 +0000
with message-id <[email protected]>
and subject line Bug#992110: fixed in node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
has caused the Debian Bug report #992110,
regarding node-tar: CVE-2021-32803
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992110
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tar.
CVE-2021-32803[0]:
| The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7,
| 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite
| vulnerability via insufficient symlink protection. `node-tar` aims to
| guarantee that any file whose location would be modified by a symbolic
| link is not extracted. This is, in part, achieved by ensuring that
| extracted directories are not symlinks. Additionally, in order to
| prevent unnecessary `stat` calls to determine whether a given path is
| a directory, paths are cached when directories are created. This logic
| was insufficient when extracting tar files that contained both a
| directory and a symlink with the same name as the directory. This
| order of operations resulted in the directory being created and added
| to the `node-tar` directory cache. When a directory is present in the
| directory cache, subsequent calls to mkdir for that directory are
| skipped. However, this is also where `node-tar` checks for symlinks
| occur. By first creating a directory, and then replacing that
| directory with a symlink, it was thus possible to bypass `node-tar`
| symlink checks on directories, essentially allowing an untrusted tar
| file to symlink into an arbitrary location and subsequently extracting
| arbitrary files into that location, thus allowing arbitrary file
| creation and overwrite. This issue was addressed in releases 3.2.3,
| 4.4.15, 5.0.7 and 6.1.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803
[1] https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tar
Source-Version: 6.0.5+ds1+~cs11.3.9-1+deb11u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Aug 2021 21:50:15 +0200
Source: node-tar
Architecture: source
Version: 6.0.5+ds1+~cs11.3.9-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 992110 992111
Changes:
node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u1) bullseye; urgency=medium
.
* Team upload
* Remove paths from dirCache when no longer dirs
(Closes: #992110, CVE-2021-32803)
* Strip absolute paths more comprehensively
(Closes: #992111, CVE-2021-32804)
Checksums-Sha1:
5c0ceb1e08d4552ee309f6c820cc504abf0e7ef5 3565
node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u1.dsc
b37ed15289a8269a3cd12c8af49307b23dda1fc2 11768
node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u1.debian.tar.xz
Checksums-Sha256:
0336b87166da100cea4f4a2be3b627f843a28baf995a995787cc83e44bd68657 3565
node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u1.dsc
e20fabeb51b1d77d8c228562e7cbc104e140a25b33e364dd7389349100d8f113 11768
node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u1.debian.tar.xz
Files:
75eb421007d0f23df91773ce2d96881b 3565 javascript optional
node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u1.dsc
2aa0da0c849c30bae42f426a0f391d65 11768 javascript optional
node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmFYAHkACgkQ9tdMp8mZ
7unZ2w/+JIXkBI+HjfGnC0gV0Xvz/BbA2vjE8//Bvr6gGskifElBHqhlJTCtRE6c
h5pTRwhX0AZ7k6PPSLSXLbfE5nZhXju4z3cLHyi8+SbmOlLjCk1hUyk+87dVajdr
4KU5UiH2I33KJXf+J05Xcw9A60i94y8b3oA264X3+CvWWYzupGybHfIQjFPlrMhZ
JvcewKstATlMPmmXksqytMGtHR04Hz/m59p1yLIjysDmJBSlM+9Cy+ZjXPT9kJkO
EI8JFlBSSphgLkbQF563JfODx9EFieaxkiFybGuRfhSwc+fkYCttlOaT40gjLFJA
VdzNIG7TJWRpBUw1FYg1AKQeWnttVbgjXVFpFwBq8qrKoDHICd0y7+tGKYxF0jij
7Bc9d8C1SwkhkFQ0THMazFDyZQsIp2YFV1uwttQsAaq9SFy4ReervOAwG1DlGfbl
PtShVR/Yiba49hTYpNAI0iK2+qCdwwzw9S8BLVr950vY8d2+dQEMdJYcmZcYh25D
89w9vxtALvFVS3Qvopn+JZEN2/QtxxrvXDo+9RStqP4BjlhuNmnwdqEKODX5CieT
NuO3lwJC38TxlviYnD4xyr5OVD1QZw8Va7XBiPvLg+Yf21JxMs7cR87jVbrieW+M
CQDXT88t5lx//b6uCdIJGcSejUs3kgC9CEQwzfc+szvOk4Rz5yU=
=HI2T
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
