node-tar: CVE-2021-32804

Debian Bug report logs - #992111
node-tar: CVE-2021-32804

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: node-tar: CVE-2021-32804

Date: Wed, 11 Aug 2021 21:00:55 +0200

Source: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for node-tar.

CVE-2021-32804[0]:
| The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6,
| 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite
| vulnerability due to insufficient absolute path sanitization. node-tar
| aims to prevent extraction of absolute file paths by turning absolute
| paths into relative paths when the `preservePaths` flag is not set to
| `true`. This is achieved by stripping the absolute path root from any
| absolute file paths contained in a tar file. For example
| `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic
| was insufficient when file paths contained repeated path roots such as
| `////home/user/.bashrc`. `node-tar` would only strip a single path
| root from such paths. When given an absolute file path with repeating
| path roots, the resulting path (e.g. `///home/user/.bashrc`) would
| still resolve to an absolute path, thus allowing arbitrary file
| creation and overwrite. This issue was addressed in releases 3.2.2,
| 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability
| without upgrading by creating a custom `onentry` method which
| sanitizes the `entry.path` or a `filter` method which removes entries
| with absolute paths. See referenced GitHub Advisory for details. Be
| aware of CVE-2021-32803 which fixes a similar bug in later versions of
| tar.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32804
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804
[1] https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 992111-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 992111-close@bugs.debian.org

Subject: Bug#992111: fixed in node-tar 6.1.7+~cs11.3.10-1

Date: Wed, 11 Aug 2021 19:49:06 +0000

Source: node-tar
Source-Version: 6.1.7+~cs11.3.10-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-tar, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992111@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-tar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 11 Aug 2021 21:30:03 +0200
Source: node-tar
Architecture: source
Version: 6.1.7+~cs11.3.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 992110 992111
Changes:
 node-tar (6.1.7+~cs11.3.10-1) unstable; urgency=medium
 .
   * Team upload
   * Back to unstable
   * New upstream version 6.1.7+~cs11.3.10
     (Closes: #992110, #992111, CVE-2021-32803 CVE-2021-32804)
   * Update disabled tests (need an updated tap)
   * Update autopkgtest files
Checksums-Sha1: 
 6fe5b2effc6d36830a428c9da4932721ae8fa6a8 3470 node-tar_6.1.7+~cs11.3.10-1.dsc
 24db077a0a6c3c707c576aa218cc18adef0d34ac 35270 node-tar_6.1.7+~cs11.3.10.orig-fs-minipass.tar.gz
 601a95c4cb1d2976072c1720338de85757fc7a74 50240 node-tar_6.1.7+~cs11.3.10.orig-minipass.tar.gz
 516fc8a8b9661b375ecb00113f1c6165dd43b623 186712 node-tar_6.1.7+~cs11.3.10.orig-minizlib.tar.gz
 5f953f183e36a15c6ce3f336568f6051b7b183f3 6515 node-tar_6.1.7+~cs11.3.10.orig-types-tar.tar.gz
 9f70884320d1cec32477703b0c96b8c1b568acb1 222254 node-tar_6.1.7+~cs11.3.10.orig.tar.gz
 921a3c92043ffdf3e9ecc7709cc817c6a6ca4ff6 8616 node-tar_6.1.7+~cs11.3.10-1.debian.tar.xz
Checksums-Sha256: 
 16c4fcd906f31cb8929c0170edf52bc4d17d6b8092af5d994a6d4892f7ae7b0d 3470 node-tar_6.1.7+~cs11.3.10-1.dsc
 83cf7dc113dacdbe3a2d05753edde01c37256cc97167ea5a8086ab85a78f2efd 35270 node-tar_6.1.7+~cs11.3.10.orig-fs-minipass.tar.gz
 496598d78b824ddb3116c4a4fe0123516b318eab820d0ee80cb892ef3ba0c4c9 50240 node-tar_6.1.7+~cs11.3.10.orig-minipass.tar.gz
 296f5e559312e7a4dd871e1cdad27d50d9d0518a548ae870dffb678ff2ecae7e 186712 node-tar_6.1.7+~cs11.3.10.orig-minizlib.tar.gz
 3e97385fb828dfc00ff02f9b30a31a20c737404096cdb006cf7083157c7e1a5d 6515 node-tar_6.1.7+~cs11.3.10.orig-types-tar.tar.gz
 1089d8b31eeda14853bfb05c09f8f48f115617e61310aa30f24ccba593564ec3 222254 node-tar_6.1.7+~cs11.3.10.orig.tar.gz
 be86f3c38eb2301e1a92638e9757d476fae68d0e2bdf5d5ff4e8da878cd298b2 8616 node-tar_6.1.7+~cs11.3.10-1.debian.tar.xz
Files: 
 f9a84cc00fa4d4f4822d7bd68871fba8 3470 javascript optional node-tar_6.1.7+~cs11.3.10-1.dsc
 4885211b9cf2f530a54e6a725cc9556f 35270 javascript optional node-tar_6.1.7+~cs11.3.10.orig-fs-minipass.tar.gz
 b49657e3714f92ab73a7deb5aca36f53 50240 javascript optional node-tar_6.1.7+~cs11.3.10.orig-minipass.tar.gz
 389dc4b3f49e5c28a485f2243aa021c6 186712 javascript optional node-tar_6.1.7+~cs11.3.10.orig-minizlib.tar.gz
 bbd2333b527227358e720aac52e97f93 6515 javascript optional node-tar_6.1.7+~cs11.3.10.orig-types-tar.tar.gz
 fe37b529decd3f78f80b0c34c2af3e79 222254 javascript optional node-tar_6.1.7+~cs11.3.10.orig.tar.gz
 684c06e5d11e986506824629fdbb452b 8616 javascript optional node-tar_6.1.7+~cs11.3.10-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmEUJokACgkQ9tdMp8mZ
7um5Hg//ZDXt5CU+Ooqtk5koQ2mZeMxaLM1FdFV9hsc1gnAGNtyQPkq1ZtiGpWaq
aSWvkT7Kh065n+t6kclF4N5V6SgoGzoersRC4462zRbC6Fbe21BW+98pTU+jMOPv
RwRoSrTzwQMDW0630StcIG4u2nMhGOI610x+pSYHf5s3ipbHPb1PftVLVm368Mhn
jXs4RfZ8Hva6FB6E1nCoIvptSxxOtDNpZQQuLgNArBUoK9ONQMhGZvg3NgrE34yx
I8GG3kT69Vx5GR72M2lqBQ2jPtRIHe8Ez53oeY6t2BFAUbazqzUU/c5sVcgcPIG7
azskF2HKrN3WLBV2mwrg4U4vH9u69jEF6q+r58sNoDBSVn0MccGYQVSa95Avf1p2
UsztMzm0Jq0x2LFh/z2T+M4yZki63cH6vOgwa6kl9YaStugYJrX1cABRX17WCiet
6QxA6NGPyh+VCv76+UULelN6qM0SJWG+v8i0XLqBJvJpZv9R7RcyOI3fJeiJhxdP
rPIk1lCO4XcKvMvz2COmYq7c6EfYENZ1nYzaZ9jHzTzgyRsbSBPfxRBk0H4k84uM
huo/Wr76sAnCP/Bg/Ut0VfvUYJlr/jc8ecuiFPEe4HJfTquROrJG/lXbRm30bwOs
jGvni5sEiEJ71LLHfA0D+AKU9jPuqjlfukgc7chC7b4chNEIUzI=
=yp3G
-----END PGP SIGNATURE-----

Message #13 received at 992111-submitter@bugs.debian.org (full text, mbox, reply):

From: Yadd <noreply@salsa.debian.org>

To: 992111-submitter@bugs.debian.org

Subject: Bug#992111 marked as pending in node-tar

Date: Wed, 11 Aug 2021 19:50:51 +0000

Control: tag -1 pending

Hello,

Bug #992111 in node-tar reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-tar/-/commit/f8debb9b4af922a7d6cfcd47f82f1d999fb3c1d5

------------------------------------------------------------------------
Strip absolute paths more comprehensively (Closes: #992111, CVE-2021-32804)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/992111

Send a report that this bug log contains spam.