------------------------------------------------------------------------- Debian LTS Advisory DLA-3237-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 12, 2022 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : node-tar Version : 4.4.6+ds1-3+deb10u2 CVE ID : CVE-2021-37701 CVE-2021-37712 Debian Bug : 993981 Cache poisoning vulnerabilities were found in node-tar, a Node.js module used to read and write portable tar archives, which may result in arbitrary file creation or overwrite. CVE-2021-37701 It was discovered that node-tar performed insufficient symlink protection, thereby making directory cache vulnerable to poisoning using symbolic links. Upon extracting an archive containing a directory 'foo/bar' followed with a symbolic link 'foo\\bar' to an arbitrary location, node-tar would extract arbitrary files into the symlink target, thus allowing arbitrary file creation and overwrite. Moreover, on case-insensitive filesystems, a similar issue occurred with a directory 'FOO' followed with a symbolic link 'foo'. CVE-2021-37712 Similar to CVE-2021-37701, a specially crafted tar archive containing two directories and a symlink with names containing unicode values that normalized to the same value, would bypass node-tar's symlink checks on directories, thus allowing arbitrary file creation and overwrite. For Debian 10 buster, these problems have been fixed in version 4.4.6+ds1-3+deb10u2. We recommend that you upgrade your node-tar packages. For the detailed security status of node-tar please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-tar Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature