Source: node-tar Version: 6.2.1+ds1+~cs6.1.13-7 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-tar. CVE-2026-26960[0]: | node-tar is a full-featured Tar for Node.js. When using default | options in versions 7.5.7 and below, an attacker-controlled archive | can create a hardlink inside the extraction directory that points to | a file outside the extraction root, enabling arbitrary file read and | write as the extracting user. Severity is high because the primitive | bypasses path protections and turns archive extraction into a direct | filesystem access primitive. This issue has been fixed in version | 7.5.8. Note, I was not exacly able to reproduce/verify the issue completely, but still should apply to all versions before 7.5.8. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26960 https://www.cve.org/CVERecord?id=CVE-2026-26960 [1] https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
