Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:node-tar User: [email protected] Usertags: pu
[ Reason ] node-tar is vulnerable to 6 CVE. The more important is the possibility to points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. - CVE-2026-23745: sanitize absolute linkpaths properly - CVE-2026-23950: normalize out unicode ligatures - CVE-2026-29786: parse root off paths before sanitizing parts - CVE-2026-26960: do not write linkpaths through symlinks (Closes: #1129378) - CVE-2026-24842: properly sanitize hard links containing '..' - CVE-2026-31802: prevent escaping symlinks with drive-relative paths The 2 lasts are regressions introduced by CVE-2026-23745 patch [ Impact ] Medium security issues [ Tests ] Test pass [ Risks ] Medium risk, test pass and test coverage looks good [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Best regards, Xavier
diff --git a/debian/changelog b/debian/changelog index 32e118b..968ebc5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-tar (6.2.1+~cs7.0.8-1+deb13u1) trixie; urgency=medium + + * Team upload + * Add patches for 6 CVEs: CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, + CVE-2026-26960, CVE-2026-29786, CVE-2026-31802 (Closes: #1129378) + + -- Xavier Guimard <[email protected]> Tue, 24 Mar 2026 12:34:05 +0100 + node-tar (6.2.1+~cs7.0.8-1) unstable; urgency=medium * New upstream version diff --git a/debian/patches/CVE-2026-23745.patch b/debian/patches/CVE-2026-23745.patch new file mode 100644 index 0000000..146fb83 --- /dev/null +++ b/debian/patches/CVE-2026-23745.patch @@ -0,0 +1,145 @@ +Description: sanitize absolute linkpaths properly +Author: isaacs <[email protected]> +Origin: upstream, https://github.com/isaacs/node-tar/commit/340eb285 +Bug: https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 +Forwarded: not-needed +Applied-Upstream: 7.5.3, commit:340eb285 +Reviewed-By: Xavier Guimard <[email protected]> +Last-Update: 2026-01-17 + +--- a/lib/unpack.js ++++ b/lib/unpack.js +@@ -32,6 +32,7 @@ + const HARDLINK = Symbol('hardlink') + const UNSUPPORTED = Symbol('unsupported') + const CHECKPATH = Symbol('checkPath') ++const STRIPABSOLUTEPATH = Symbol('stripAbsolutePath') + const MKDIR = Symbol('mkdir') + const ONERROR = Symbol('onError') + const PENDING = Symbol('pending') +@@ -244,6 +245,43 @@ + } + } + ++ // return false if we need to skip this file ++ // return true if the field was successfully sanitized ++ [STRIPABSOLUTEPATH]( entry, field ) { ++ const path = entry[field] ++ if (!path || this.preservePaths) return true ++ ++ const parts = path.split('/') ++ if ( ++ parts.includes('..') || ++ /* c8 ignore next */ ++ (isWindows && /^[a-z]:\.\.$/i.test(parts[0] ?? '')) ++ ) { ++ this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { ++ entry, ++ [field]: path, ++ }) ++ // not ok! ++ return false ++ } ++ ++ // strip off the root ++ const [root, stripped] = stripAbsolutePath(path) ++ if (root) { ++ // ok, but triggers warning about stripping root ++ entry[field] = String(stripped) ++ this.warn( ++ 'TAR_ENTRY_INFO', ++ `stripping ${root} from absolute ${field}`, ++ { ++ entry, ++ [field]: path, ++ }, ++ ) ++ } ++ return true ++ } ++ + [CHECKPATH] (entry) { + const p = normPath(entry.path) + const parts = p.split('/') +@@ -274,24 +312,11 @@ + return false + } + +- if (!this.preservePaths) { +- if (parts.includes('..') || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) { +- this.warn('TAR_ENTRY_ERROR', `path contains '..'`, { +- entry, +- path: p, +- }) +- return false +- } +- +- // strip off the root +- const [root, stripped] = stripAbsolutePath(p) +- if (root) { +- entry.path = stripped +- this.warn('TAR_ENTRY_INFO', `stripping ${root} from absolute path`, { +- entry, +- path: p, +- }) +- } ++ if ( ++ !this[STRIPABSOLUTEPATH](entry, 'path') || ++ !this[STRIPABSOLUTEPATH](entry, 'linkpath') ++ ) { ++ return false + } + + if (path.isAbsolute(entry.path)) { +--- /dev/null ++++ b/test/ghsa-8qq5-rm4j-mr97.js +@@ -0,0 +1,49 @@ ++const { readFileSync, readlinkSync, writeFileSync } = require('fs') ++const { resolve } = require('path') ++const t = require('tap') ++const Header = require('../lib/header.js') ++const x = require('../lib/extract.js') ++ ++const targetSym = '/some/absolute/path' ++ ++const getExploitTar = () => { ++ const exploitTar = Buffer.alloc(512 + 512 + 1024) ++ ++ new Header({ ++ path: 'exploit_hard', ++ type: 'Link', ++ size: 0, ++ linkpath: resolve(t.testdirName, 'secret.txt'), ++ }).encode(exploitTar, 0) ++ ++ new Header({ ++ path: 'exploit_sym', ++ type: 'SymbolicLink', ++ size: 0, ++ linkpath: targetSym, ++ }).encode(exploitTar, 512) ++ ++ return exploitTar ++} ++ ++const dir = t.testdir({ ++ 'secret.txt': 'ORIGINAL DATA', ++ 'exploit.tar': getExploitTar(), ++ out_repro: {}, ++}) ++ ++const out = resolve(dir, 'out_repro') ++const tarFile = resolve(dir, 'exploit.tar') ++ ++t.test('verify that linkpaths get sanitized properly', async t => { ++ await x({ ++ cwd: out, ++ file: tarFile, ++ preservePaths: false, ++ }) ++ ++ writeFileSync(resolve(out, 'exploit_hard'), 'OVERWRITTEN') ++ t.equal(readFileSync(resolve(dir, 'secret.txt'), 'utf8'), 'ORIGINAL DATA') ++ ++ t.not(readlinkSync(resolve(out, 'exploit_sym')), targetSym) ++}) diff --git a/debian/patches/CVE-2026-23950.patch b/debian/patches/CVE-2026-23950.patch new file mode 100644 index 0000000..ab164b4 --- /dev/null +++ b/debian/patches/CVE-2026-23950.patch @@ -0,0 +1,132 @@ +Description: normalize out unicode ligatures +Author: Yadd <[email protected]> +Origin: upstream, https://github.com/isaacs/node-tar/commit/3b1abfae +Bug: https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w +Forwarded: not-needed +Applied-Upstream: 7.5.4, commit:3b1abfae +Reviewed-By: Xavier Guimard <[email protected]> +Last-Update: 2026-01-22 + +--- a/lib/normalize-unicode.js ++++ b/lib/normalize-unicode.js +@@ -6,7 +6,11 @@ + const { hasOwnProperty } = Object.prototype + module.exports = s => { + if (!hasOwnProperty.call(normalizeCache, s)) { +- normalizeCache[s] = s.normalize('NFD') ++ // shake out identical accents and ligatures ++ normalizeCache[s] = s ++ .normalize('NFD') ++ .toLocaleLowerCase('en') ++ .toLocaleUpperCase('en') + } + return normalizeCache[s] + } +--- a/lib/path-reservations.js ++++ b/lib/path-reservations.js +@@ -123,7 +123,7 @@ + // effectively removing all parallelization on windows. + paths = isWindows ? ['win32 parallelization disabled'] : paths.map(p => { + // don't need normPath, because we skip this entirely for windows +- return stripSlashes(join(normalize(p))).toLowerCase() ++ return stripSlashes(join(normalize(p))) + }) + + const dirs = new Set( +--- a/tap-snapshots/test/normalize-unicode.js.test.cjs ++++ b/tap-snapshots/test/normalize-unicode.js.test.cjs +@@ -6,25 +6,25 @@ + */ + 'use strict' + exports[`test/normalize-unicode.js TAP normalize with strip slashes "1/4foo.txt" > normalized 1`] = ` +-1/4foo.txt ++1/4FOO.TXT + ` + + exports[`test/normalize-unicode.js TAP normalize with strip slashes "\\\\a\\\\b\\\\c\\\\d\\\\" > normalized 1`] = ` +-/a/b/c/d ++/A/B/C/D + ` + + exports[`test/normalize-unicode.js TAP normalize with strip slashes "¼foo.txt" > normalized 1`] = ` +-¼foo.txt ++¼FOO.TXT + ` + + exports[`test/normalize-unicode.js TAP normalize with strip slashes "﹨aaaa﹨dddd﹨" > normalized 1`] = ` +-﹨aaaa﹨dddd﹨ ++﹨AAAA﹨DDDD﹨ + ` + + exports[`test/normalize-unicode.js TAP normalize with strip slashes "\bbb\eee\" > normalized 1`] = ` +-\bbb\eee\ ++\BBB\EEE\ + ` + + exports[`test/normalize-unicode.js TAP normalize with strip slashes "\\\\\eee\\\\\\" > normalized 1`] = ` +-\\\\\eee\\\\\\ ++\\\\\EEE\\\\\\ + ` +--- /dev/null ++++ b/test/ghsa-r6q2-hw4h-h46w.js +@@ -0,0 +1,49 @@ ++const t = require('tap') ++const normalizeUnicode = require('../lib/normalize-unicode.js') ++const Header = require('../lib/header.js') ++const { resolve } = require('path') ++const { lstatSync, readFileSync, statSync } = require('fs') ++const extract = require('../lib/extract.js') ++ ++// these characters are problems on macOS's APFS ++const chars = { ++ ['ff'.normalize('NFC')]: 'FF', ++ ['fi'.normalize('NFC')]: 'FI', ++ ['fl'.normalize('NFC')]: 'FL', ++ ['ffi'.normalize('NFC')]: 'FFI', ++ ['ffl'.normalize('NFC')]: 'FFL', ++ ['ſt'.normalize('NFC')]: 'ST', ++ ['st'.normalize('NFC')]: 'ST', ++ ['ẛ'.normalize('NFC')]: 'Ṡ', ++ ['ß'.normalize('NFC')]: 'SS', ++ ['ẞ'.normalize('NFC')]: 'SS', ++ ['ſ'.normalize('NFC')]: 'S', ++} ++ ++for (const [c, n] of Object.entries(chars)) { ++ t.test(`${c} => ${n}`, async t => { ++ t.equal(normalizeUnicode(c), n) ++ ++ t.test('link then file', async t => { ++ const tarball = Buffer.alloc(2048) ++ new Header({ ++ path: c, ++ type: 'SymbolicLink', ++ linkpath: './target', ++ }).encode(tarball, 0) ++ new Header({ ++ path: n, ++ type: 'File', ++ size: 1, ++ }).encode(tarball, 512) ++ tarball[1024] = 'x'.charCodeAt(0) ++ ++ const cwd = t.testdir({ tarball }) ++ ++ await extract({ cwd, file: resolve(cwd, 'tarball') }) ++ ++ t.throws(() => statSync(resolve(cwd, 'target'))) ++ t.equal(readFileSync(resolve(cwd, n), 'utf8'), 'x') ++ }) ++ }) ++} +--- a/test/normalize-unicode.js ++++ b/test/normalize-unicode.js +@@ -12,7 +12,7 @@ + + t.equal(normalize(cafe1), normalize(cafe2), 'matching unicodes') + t.equal(normalize(cafe1), normalize(cafe2), 'cached') +-t.equal(normalize('foo'), 'foo', 'non-unicode string') ++t.equal(normalize('foo'), 'FOO', 'non-unicode string') + + t.test('normalize with strip slashes', t => { + const paths = [ diff --git a/debian/patches/CVE-2026-24842.patch b/debian/patches/CVE-2026-24842.patch new file mode 100644 index 0000000..f7f547b --- /dev/null +++ b/debian/patches/CVE-2026-24842.patch @@ -0,0 +1,28 @@ +Description: properly sanitize hard links containing .. + The issue is that *hard* links are resolved relative to the unpack cwd, + so if they have `..`, they cannot possibly be valid. The loosening of + the '..' restriction for symbolic links should have been limited by type. +Author: isaacs <[email protected]> +Origin: upstream, https://github.com/isaacs/node-tar/commit/f4a7aa9b +Bug: https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v +Forwarded: not-needed +Applied-Upstream: 7.5.7, commit:f4a7aa9b +Last-Update: 2026-03-24 + +--- a/lib/unpack.js ++++ b/lib/unpack.js +@@ -251,11 +251,13 @@ + // return true if the field was successfully sanitized + [STRIPABSOLUTEPATH]( entry, field ) { + const path = entry[field] ++ const { type } = entry + if (!path || this.preservePaths) return true + + const parts = path.split('/') + if ( +- parts.includes('..') || ++ (parts.includes('..') && ++ (field === 'path' || type === 'Link')) || + /* c8 ignore next */ + (isWindows && /^[a-z]:\.\.$/i.test(parts[0] ?? '')) + ) { diff --git a/debian/patches/CVE-2026-26960.patch b/debian/patches/CVE-2026-26960.patch new file mode 100644 index 0000000..de59193 --- /dev/null +++ b/debian/patches/CVE-2026-26960.patch @@ -0,0 +1,139 @@ +From: isaacs <[email protected]> +Date: Thu, 12 Feb 2026 20:50:19 -0800 +Subject: [PATCH] <short summary of the patch> +Origin: upstream, https://github.com/isaacs/node-tar/commit/d18e4e1f +Bug: https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx +Forwarded: not-needed +Applied-Upstream: 7.5.7, commit:d18e4e1f +Reviewed-By: Xavier Guimard <[email protected]> + +--- /dev/null ++++ b/lib/process-umask.js +@@ -0,0 +1,4 @@ ++// separate file so I stop getting nagged in vim about deprecated API ++module.exports = { ++ umask: () => process.umask() ++}; +--- a/lib/unpack.js ++++ b/lib/unpack.js +@@ -18,6 +18,7 @@ + const normPath = require('./normalize-windows-path.js') + const stripSlash = require('./strip-trailing-slashes.js') + const normalize = require('./normalize-unicode.js') ++const { umask } = require('./process-umask.js') + + const ONENTRY = Symbol('onEntry') + const CHECKFS = Symbol('checkFs') +@@ -30,6 +31,7 @@ + const LINK = Symbol('link') + const SYMLINK = Symbol('symlink') + const HARDLINK = Symbol('hardlink') ++const ENSURE_NO_SYMLINK = Symbol('ensureNoSymlink') + const UNSUPPORTED = Symbol('unsupported') + const CHECKPATH = Symbol('checkPath') + const STRIPABSOLUTEPATH = Symbol('stripAbsolutePath') +@@ -217,7 +219,7 @@ + this.cwd = normPath(path.resolve(opt.cwd || process.cwd())) + this.strip = +opt.strip || 0 + // if we're not chmodding, then we don't need the process umask +- this.processUmask = opt.noChmod ? 0 : process.umask() ++ this.processUmask = opt.noChmod ? 0 : umask() + this.umask = typeof opt.umask === 'number' ? opt.umask : this.processUmask + + // default mode for dirs created as parents +@@ -565,12 +567,64 @@ + } + + [SYMLINK] (entry, done) { +- this[LINK](entry, entry.linkpath, 'symlink', done) ++ const parts = normPath( ++ path.relative( ++ this.cwd, ++ path.resolve( ++ path.dirname(String(entry.absolute)), ++ String(entry.linkpath), ++ ), ++ ), ++ ).split('/') ++ this[ENSURE_NO_SYMLINK]( ++ entry, ++ this.cwd, ++ parts, ++ () => ++ this[LINK](entry, String(entry.linkpath), 'symlink', done), ++ er => { ++ this[ONERROR](er, entry) ++ done() ++ }, ++ ) + } + + [HARDLINK] (entry, done) { + const linkpath = normPath(path.resolve(this.cwd, entry.linkpath)) +- this[LINK](entry, linkpath, 'link', done) ++ const parts = normPath(String(entry.linkpath)).split( ++ '/', ++ ) ++ this[ENSURE_NO_SYMLINK]( ++ entry, ++ this.cwd, ++ parts, ++ () => this[LINK](entry, linkpath, 'link', done), ++ er => { ++ this[ONERROR](er, entry) ++ done() ++ }, ++ ) ++ } ++ ++ [ENSURE_NO_SYMLINK]( ++ entry, ++ cwd, ++ parts, ++ done, ++ onError, ++ ) { ++ const p = parts.shift() ++ if (this.preservePaths || p === undefined) return done() ++ const t = path.resolve(cwd, p) ++ fs.lstat(t, (er, st) => { ++ if (er) return done() ++ if (st?.isSymbolicLink()) { ++ return onError( ++ new SymlinkError(t, path.resolve(t, parts.join('/'))), ++ ) ++ } ++ this[ENSURE_NO_SYMLINK](entry, t, parts, done, onError) ++ }) + } + + [PEND] () { +@@ -935,6 +989,28 @@ + } + } + ++ [ENSURE_NO_SYMLINK]( ++ _entry, ++ cwd, ++ parts, ++ done, ++ onError, ++ ) { ++ if (this.preservePaths || !parts.length) return done() ++ let t = cwd ++ for (const p of parts) { ++ t = path.resolve(t, p) ++ const [er, st] = callSync(() => fs.lstatSync(t)) ++ if (er) return done() ++ if (st.isSymbolicLink()) { ++ return onError( ++ new SymlinkError(t, path.resolve(cwd, parts.join('/'))), ++ ) ++ } ++ } ++ done() ++ } ++ + [LINK] (entry, linkpath, link, done) { + try { + fs[link + 'Sync'](linkpath, entry.absolute) diff --git a/debian/patches/CVE-2026-29786.patch b/debian/patches/CVE-2026-29786.patch new file mode 100644 index 0000000..c261d51 --- /dev/null +++ b/debian/patches/CVE-2026-29786.patch @@ -0,0 +1,22 @@ +From: isaacs <[email protected]> +Date: Wed, 4 Mar 2026 11:41:10 -0800 +Subject: [PATCH] parse root off paths before sanitizing .. parts +Origin: upstream, https://github.com/isaacs/node-tar/commit/7bc755dd +Bug: https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 +Forwarded: not-needed +Applied-Upstream: 7.5.10, commit:7bc755dd +Reviewed-By: Xavier Guimard <[email protected]> + +--- a/lib/unpack.js ++++ b/lib/unpack.js +@@ -284,7 +284,9 @@ + + [CHECKPATH] (entry) { + const p = normPath(entry.path) +- const parts = p.split('/') ++ // strip off the root ++ const [root, stripped] = stripAbsolutePath(p) ++ const parts = stripped.replace(/\\/g, '/').split('/') + + if (this.strip) { + if (parts.length < this.strip) { diff --git a/debian/patches/CVE-2026-31802.patch b/debian/patches/CVE-2026-31802.patch new file mode 100644 index 0000000..d9aa7dc --- /dev/null +++ b/debian/patches/CVE-2026-31802.patch @@ -0,0 +1,33 @@ +Description: prevent escaping symlinks with drive-relative paths + After stripping the drive letter root from paths like c:../../../foo, + re-check for '..' to prevent path traversal via drive-relative linkpaths. +Author: isaacs <[email protected]> +Origin: upstream, https://github.com/isaacs/node-tar/commit/f48b5fa3 +Bug: https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 +Forwarded: not-needed +Applied-Upstream: 7.5.11, commit:f48b5fa3 +Last-Update: 2026-03-24 + +--- a/lib/unpack.js ++++ b/lib/unpack.js +@@ -272,6 +272,20 @@ + // strip off the root + const [root, stripped] = stripAbsolutePath(path) + if (root) { ++ // After stripping root, re-check for '..' in the stripped path ++ // This catches drive-relative paths like c:../../../foo where ++ // the initial check missed '..' because it was part of 'c:..' ++ const strippedParts = String(stripped).replace(/\\/g, '/').split('/') ++ if ( ++ strippedParts.includes('..') && ++ (field === 'path' || entry.type === 'Link') ++ ) { ++ this.warn('TAR_ENTRY_ERROR', `linkpath escapes extraction directory`, { ++ entry, ++ [field]: path, ++ }) ++ return false ++ } + // ok, but triggers warning about stripping root + entry[field] = String(stripped) + this.warn( diff --git a/debian/patches/series b/debian/patches/series index b52771a..2eda2d6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,7 @@ api-backward-compatibility.patch +CVE-2026-23745.patch +CVE-2026-23950.patch +CVE-2026-29786.patch +CVE-2026-26960.patch +CVE-2026-24842.patch +CVE-2026-31802.patch
