Source: node-tar Version: 6.0.5+ds1+~cs11.3.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-tar. CVE-2021-32803[0]: | The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, | 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite | vulnerability via insufficient symlink protection. `node-tar` aims to | guarantee that any file whose location would be modified by a symbolic | link is not extracted. This is, in part, achieved by ensuring that | extracted directories are not symlinks. Additionally, in order to | prevent unnecessary `stat` calls to determine whether a given path is | a directory, paths are cached when directories are created. This logic | was insufficient when extracting tar files that contained both a | directory and a symlink with the same name as the directory. This | order of operations resulted in the directory being created and added | to the `node-tar` directory cache. When a directory is present in the | directory cache, subsequent calls to mkdir for that directory are | skipped. However, this is also where `node-tar` checks for symlinks | occur. By first creating a directory, and then replacing that | directory with a symlink, it was thus possible to bypass `node-tar` | symlink checks on directories, essentially allowing an untrusted tar | file to symlink into an arbitrary location and subsequently extracting | arbitrary files into that location, thus allowing arbitrary file | creation and overwrite. This issue was addressed in releases 3.2.3, | 4.4.15, 5.0.7 and 6.1.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32803 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803 [1] https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw Please adjust the affected versions in the BTS as needed. Regards, Salvatore