Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: secur...@debian.org, Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
* New upstream release.
- CVE-2024-12905: symlink path traversal (Closes: #1101501)
- CVE-2025-48387: hardlink path traversal
The two new upstream releases contain each just one CVE fix.
Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for node-tar-fs-2.1.1 node-tar-fs-2.1.3
debian/changelog | 9 +++++++++
index.js | 19 +++++++++++++------
package.json | 2 +-
test/index.js | 2 +-
4 files changed, 24 insertions(+), 8 deletions(-)
diff -Nru node-tar-fs-2.1.1/debian/changelog node-tar-fs-2.1.3/debian/changelog
--- node-tar-fs-2.1.1/debian/changelog 2021-11-02 18:56:17.000000000 +0200
+++ node-tar-fs-2.1.3/debian/changelog 2025-06-09 22:02:36.000000000 +0300
@@ -1,3 +1,12 @@
+node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream release.
+ - CVE-2024-12905: symlink path traversal (Closes: #1101501)
+ - CVE-2025-48387: hardlink path traversal
+
+ -- Adrian Bunk <b...@debian.org> Mon, 09 Jun 2025 22:02:36 +0300
+
node-tar-fs (2.1.1-6) unstable; urgency=medium
* Team upload
diff -Nru node-tar-fs-2.1.1/index.js node-tar-fs-2.1.3/index.js
--- node-tar-fs-2.1.1/index.js 2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/index.js 2025-05-22 22:22:41.000000000 +0300
@@ -260,6 +260,9 @@
var onsymlink = function () {
if (win32) return next() // skip symlinks on win for now before it can
be tested
xfs.unlink(name, function () {
+ var dst = path.resolve(path.dirname(name), header.linkname)
+ if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + '
is not a valid symlink'))
+
xfs.symlink(header.linkname, name, stat)
})
}
@@ -269,13 +272,17 @@
xfs.unlink(name, function () {
var srcpath = path.join(cwd, path.join('/', header.linkname))
- xfs.link(srcpath, name, function (err) {
- if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
- stream = xfs.createReadStream(srcpath)
- return onfile()
- }
+ xfs.realpath(srcpath, function (err, dst) {
+ if (err || !dst.startsWith(path.resolve(cwd))) return next(new
Error(name + ' is not a valid hardlink'))
+
+ xfs.link(dst, name, function (err) {
+ if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+ stream = xfs.createReadStream(srcpath)
+ return onfile()
+ }
- stat(err)
+ stat(err)
+ })
})
})
}
diff -Nru node-tar-fs-2.1.1/package.json node-tar-fs-2.1.3/package.json
--- node-tar-fs-2.1.1/package.json 2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/package.json 2025-05-22 22:22:41.000000000 +0300
@@ -1,6 +1,6 @@
{
"name": "tar-fs",
- "version": "2.1.1",
+ "version": "2.1.3",
"description": "filesystem bindings for tar-stream",
"dependencies": {
"chownr": "^1.1.1",
diff -Nru node-tar-fs-2.1.1/test/index.js node-tar-fs-2.1.3/test/index.js
--- node-tar-fs-2.1.1/test/index.js 2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/test/index.js 2025-05-22 22:22:41.000000000 +0300
@@ -304,7 +304,7 @@
fs.createReadStream(a)
.pipe(tar.extract(out))
.on('error', function (err) {
- t.ok(/is not a valid path/i.test(err.message))
+ t.ok(/is not a valid symlink/i.test(err.message))
fs.stat(path.join(out, '../bar'), function (err) {
t.ok(err)
t.end()
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
