Debian Bug report logs -
#992110
node-tar: CVE-2021-32803
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 11 Aug 2021 19:03:02 UTC
Severity: important
Tags: pending, security, upstream
Found in version node-tar/6.0.5+ds1+~cs11.3.9-1
Fixed in version node-tar/6.1.7+~cs11.3.10-1
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#992110; Package src:node-tar.
(Wed, 11 Aug 2021 19:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Wed, 11 Aug 2021 19:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for node-tar.
CVE-2021-32803[0]:
| The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7,
| 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite
| vulnerability via insufficient symlink protection. `node-tar` aims to
| guarantee that any file whose location would be modified by a symbolic
| link is not extracted. This is, in part, achieved by ensuring that
| extracted directories are not symlinks. Additionally, in order to
| prevent unnecessary `stat` calls to determine whether a given path is
| a directory, paths are cached when directories are created. This logic
| was insufficient when extracting tar files that contained both a
| directory and a symlink with the same name as the directory. This
| order of operations resulted in the directory being created and added
| to the `node-tar` directory cache. When a directory is present in the
| directory cache, subsequent calls to mkdir for that directory are
| skipped. However, this is also where `node-tar` checks for symlinks
| occur. By first creating a directory, and then replacing that
| directory with a symlink, it was thus possible to bypass `node-tar`
| symlink checks on directories, essentially allowing an untrusted tar
| file to symlink into an arbitrary location and subsequently extracting
| arbitrary files into that location, thus allowing arbitrary file
| creation and overwrite. This issue was addressed in releases 3.2.3,
| 4.4.15, 5.0.7 and 6.1.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803
[1] https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Wed, 11 Aug 2021 19:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Aug 2021 19:51:05 GMT) (full text, mbox, link).
Message #10 received at 992110-close@bugs.debian.org (full text, mbox, reply):
Source: node-tar
Source-Version: 6.1.7+~cs11.3.10-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 992110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-tar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Aug 2021 21:30:03 +0200
Source: node-tar
Architecture: source
Version: 6.1.7+~cs11.3.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 992110 992111
Changes:
node-tar (6.1.7+~cs11.3.10-1) unstable; urgency=medium
.
* Team upload
* Back to unstable
* New upstream version 6.1.7+~cs11.3.10
(Closes: #992110, #992111, CVE-2021-32803 CVE-2021-32804)
* Update disabled tests (need an updated tap)
* Update autopkgtest files
Checksums-Sha1:
6fe5b2effc6d36830a428c9da4932721ae8fa6a8 3470 node-tar_6.1.7+~cs11.3.10-1.dsc
24db077a0a6c3c707c576aa218cc18adef0d34ac 35270 node-tar_6.1.7+~cs11.3.10.orig-fs-minipass.tar.gz
601a95c4cb1d2976072c1720338de85757fc7a74 50240 node-tar_6.1.7+~cs11.3.10.orig-minipass.tar.gz
516fc8a8b9661b375ecb00113f1c6165dd43b623 186712 node-tar_6.1.7+~cs11.3.10.orig-minizlib.tar.gz
5f953f183e36a15c6ce3f336568f6051b7b183f3 6515 node-tar_6.1.7+~cs11.3.10.orig-types-tar.tar.gz
9f70884320d1cec32477703b0c96b8c1b568acb1 222254 node-tar_6.1.7+~cs11.3.10.orig.tar.gz
921a3c92043ffdf3e9ecc7709cc817c6a6ca4ff6 8616 node-tar_6.1.7+~cs11.3.10-1.debian.tar.xz
Checksums-Sha256:
16c4fcd906f31cb8929c0170edf52bc4d17d6b8092af5d994a6d4892f7ae7b0d 3470 node-tar_6.1.7+~cs11.3.10-1.dsc
83cf7dc113dacdbe3a2d05753edde01c37256cc97167ea5a8086ab85a78f2efd 35270 node-tar_6.1.7+~cs11.3.10.orig-fs-minipass.tar.gz
496598d78b824ddb3116c4a4fe0123516b318eab820d0ee80cb892ef3ba0c4c9 50240 node-tar_6.1.7+~cs11.3.10.orig-minipass.tar.gz
296f5e559312e7a4dd871e1cdad27d50d9d0518a548ae870dffb678ff2ecae7e 186712 node-tar_6.1.7+~cs11.3.10.orig-minizlib.tar.gz
3e97385fb828dfc00ff02f9b30a31a20c737404096cdb006cf7083157c7e1a5d 6515 node-tar_6.1.7+~cs11.3.10.orig-types-tar.tar.gz
1089d8b31eeda14853bfb05c09f8f48f115617e61310aa30f24ccba593564ec3 222254 node-tar_6.1.7+~cs11.3.10.orig.tar.gz
be86f3c38eb2301e1a92638e9757d476fae68d0e2bdf5d5ff4e8da878cd298b2 8616 node-tar_6.1.7+~cs11.3.10-1.debian.tar.xz
Files:
f9a84cc00fa4d4f4822d7bd68871fba8 3470 javascript optional node-tar_6.1.7+~cs11.3.10-1.dsc
4885211b9cf2f530a54e6a725cc9556f 35270 javascript optional node-tar_6.1.7+~cs11.3.10.orig-fs-minipass.tar.gz
b49657e3714f92ab73a7deb5aca36f53 50240 javascript optional node-tar_6.1.7+~cs11.3.10.orig-minipass.tar.gz
389dc4b3f49e5c28a485f2243aa021c6 186712 javascript optional node-tar_6.1.7+~cs11.3.10.orig-minizlib.tar.gz
bbd2333b527227358e720aac52e97f93 6515 javascript optional node-tar_6.1.7+~cs11.3.10.orig-types-tar.tar.gz
fe37b529decd3f78f80b0c34c2af3e79 222254 javascript optional node-tar_6.1.7+~cs11.3.10.orig.tar.gz
684c06e5d11e986506824629fdbb452b 8616 javascript optional node-tar_6.1.7+~cs11.3.10-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmEUJokACgkQ9tdMp8mZ
7um5Hg//ZDXt5CU+Ooqtk5koQ2mZeMxaLM1FdFV9hsc1gnAGNtyQPkq1ZtiGpWaq
aSWvkT7Kh065n+t6kclF4N5V6SgoGzoersRC4462zRbC6Fbe21BW+98pTU+jMOPv
RwRoSrTzwQMDW0630StcIG4u2nMhGOI610x+pSYHf5s3ipbHPb1PftVLVm368Mhn
jXs4RfZ8Hva6FB6E1nCoIvptSxxOtDNpZQQuLgNArBUoK9ONQMhGZvg3NgrE34yx
I8GG3kT69Vx5GR72M2lqBQ2jPtRIHe8Ez53oeY6t2BFAUbazqzUU/c5sVcgcPIG7
azskF2HKrN3WLBV2mwrg4U4vH9u69jEF6q+r58sNoDBSVn0MccGYQVSa95Avf1p2
UsztMzm0Jq0x2LFh/z2T+M4yZki63cH6vOgwa6kl9YaStugYJrX1cABRX17WCiet
6QxA6NGPyh+VCv76+UULelN6qM0SJWG+v8i0XLqBJvJpZv9R7RcyOI3fJeiJhxdP
rPIk1lCO4XcKvMvz2COmYq7c6EfYENZ1nYzaZ9jHzTzgyRsbSBPfxRBk0H4k84uM
huo/Wr76sAnCP/Bg/Ut0VfvUYJlr/jc8ecuiFPEe4HJfTquROrJG/lXbRm30bwOs
jGvni5sEiEJ71LLHfA0D+AKU9jPuqjlfukgc7chC7b4chNEIUzI=
=yp3G
-----END PGP SIGNATURE-----
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#992110.
(Wed, 11 Aug 2021 19:54:03 GMT) (full text, mbox, link).
Message #13 received at 992110-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #992110 in node-tar reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-tar/-/commit/1125961fa5614b26e1b657eb07d5a04305781338
------------------------------------------------------------------------
Remove paths from dirCache when no longer dirs (Closes: #992110, CVE-2021-32803
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/992110
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 992110-submitter@bugs.debian.org.
(Wed, 11 Aug 2021 19:54:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Aug 12 07:14:05 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon