Your message dated Sun, 19 Oct 2025 13:22:43 +0000
with message-id <[email protected]>
and subject line Bug#1116338: fixed in node-tar-fs 2.1.3-0+deb12u2
has caused the Debian Bug report #1116338,
regarding node-tar-fs: CVE-2025-59343
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-tar-fs
Version: 3.0.9+~cs2.0.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2025-59343[0]:
| tar-fs provides filesystem bindings for tar-stream. Versions prior
| to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation
| bypass if the destination directory is predictable with a specific
| tarball. This issue has been patched in version 3.1.1, 2.1.4, and
| 1.16.6. A workaround involves using the ignore option on non
| files/directories.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59343
https://www.cve.org/CVERecord?id=CVE-2025-59343
[1] https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v
[2]
https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tar-fs
Source-Version: 2.1.3-0+deb12u2
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-tar-fs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-tar-fs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 25 Sep 2025 23:12:11 +0200
Source: node-tar-fs
Binary: node-tar-fs
Architecture: source all
Version: 2.1.3-0+deb12u2
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Description:
node-tar-fs - Node.js module that provides filesystem-like access to tar files
Closes: 1116338
Changes:
node-tar-fs (2.1.3-0+deb12u2) bookworm-security; urgency=medium
.
* Apply fix for CVE-2025-59343 (Closes: #1116338)
Checksums-Sha1:
c6c00933ae111ba1d7c0704bac003d4f00e9d6e3 2202 node-tar-fs_2.1.3-0+deb12u2.dsc
41b5f9c659d7fa10d0cda24ecae09b97d6b73f4a 7951 node-tar-fs_2.1.3.orig.tar.gz
7fbac1aa4b610ee6064b7b66cf899c378098cd9d 3816
node-tar-fs_2.1.3-0+deb12u2.debian.tar.xz
b9b99d4238a415f23cfcd46ff448c29ce4d36fe2 8072
node-tar-fs_2.1.3-0+deb12u2_all.deb
e95488f89cd8769d4f36770aa4b52a0ac8186c6d 16263
node-tar-fs_2.1.3-0+deb12u2_amd64.buildinfo
Checksums-Sha256:
aa708a516a07a0b26354020eb2b7c5416e6ab5ab25e91127f7907c4982a84d4a 2202
node-tar-fs_2.1.3-0+deb12u2.dsc
061356bce7a39c4b2947f6f406d45179155acfc23edf121f703689768841ad10 7951
node-tar-fs_2.1.3.orig.tar.gz
6c27a3c3e3cc99eb03810b7b53910b16bfb6cd439d45a5c1f1e6a8a19f7cebe0 3816
node-tar-fs_2.1.3-0+deb12u2.debian.tar.xz
beb47d3e3d9af0613282c8a407667937132c903cf1613b4c1d57864e7707ec36 8072
node-tar-fs_2.1.3-0+deb12u2_all.deb
54781916a571e508e86e1c2877ce3652af5f9b3eff659403f21cb619b99605b6 16263
node-tar-fs_2.1.3-0+deb12u2_amd64.buildinfo
Files:
8d7e0fa6060749351540cd88e976bfed 2202 javascript optional
node-tar-fs_2.1.3-0+deb12u2.dsc
9034827a8b0724931a4262c61395623f 7951 javascript optional
node-tar-fs_2.1.3.orig.tar.gz
a5a8b9db9caa692a6355e6fe8fde4448 3816 javascript optional
node-tar-fs_2.1.3-0+deb12u2.debian.tar.xz
37324d52c64899adf9d1b1197b6761ec 8072 javascript optional
node-tar-fs_2.1.3-0+deb12u2_all.deb
a812c82d4830a34901ce7ff0af0ca676 16263 javascript optional
node-tar-fs_2.1.3-0+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmjYBwkACgkQ9tdMp8mZ
7umUNw//UzxACU20/54XevuPbaroFc3KnSxBpWOPvY4JacvuXTnvX/3I1esnf77L
Aeo2Etl7GUnn/eEE0kd6PfmiJImCAL8j+ycbR+nkgILH2tdZ9NUYLZ0zCfSP4Aqg
G6mgrCr6nhLdqZLfPuqregN5/CG6YxA8Ka1U6QjIbt3MvQMiMaKgA3jgAo0L4FO4
MRBILceIGbxWFyC2NX0q6MedW/llSSh4636s0UnicdthilmP8KZ89Y3Bm+q4drDx
FLmXp5T70Qg0NlNeIcO9D4H+ShHanSQjbEdZtz6Jym1Ol7itUNclP78k72sbTidu
2l0RrOZUTa93Vuufm06s7oTI06vXbcRZ0tip+rgrv5FAizRPcEir5mWq1X5P0DDd
vCfoBg7u7jaxhmfhqcCulj6b4AncUaMTKJ34cq4MGW19wE8ix8J0a1xNLnlJre6k
BrVIsTZuDMkrl9PTONwZ3/vWtSiRtZeBFSyrZyEBDymWBaCHF+VdKrvcfGNbMNyu
eHEUEur1NJF08MTC2vUOjp6mCeTK3eA2Sk8wvwmVzvHo7zPrpj9b+iswMVQKO8I2
SZ7Q7nTO/nVoauyQXM7L/Prs5xf34z5mquHttucPV9fYOnr9uzzdDou6RUV78xIt
UAMlcoWy7AtULCZhUJCoY8GGF4wDj2y1z5GcQXx73vIzuNhn7Ys=
=ftxE
-----END PGP SIGNATURE-----
pgpFmd9kRuZR0.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
