[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107568: bookworm-pu: package node-tar-fs/2.1.3-0+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>

  * New upstream release.
    - CVE-2024-12905: symlink path traversal (Closes: #1101501)
    - CVE-2025-48387: hardlink path traversal

The two new upstream releases contain each just one CVE fix.

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for node-tar-fs-2.1.1 node-tar-fs-2.1.3

 debian/changelog |    9 +++++++++
 index.js         |   19 +++++++++++++------
 package.json     |    2 +-
 test/index.js    |    2 +-
 4 files changed, 24 insertions(+), 8 deletions(-)

diff -Nru node-tar-fs-2.1.1/debian/changelog node-tar-fs-2.1.3/debian/changelog
--- node-tar-fs-2.1.1/debian/changelog	2021-11-02 18:56:17.000000000 +0200
+++ node-tar-fs-2.1.3/debian/changelog	2025-06-09 22:02:36.000000000 +0300
@@ -1,3 +1,12 @@
+node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release.
+    - CVE-2024-12905: symlink path traversal (Closes: #1101501)
+    - CVE-2025-48387: hardlink path traversal
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 09 Jun 2025 22:02:36 +0300
+
 node-tar-fs (2.1.1-6) unstable; urgency=medium
 
   * Team upload
diff -Nru node-tar-fs-2.1.1/index.js node-tar-fs-2.1.3/index.js
--- node-tar-fs-2.1.1/index.js	2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/index.js	2025-05-22 22:22:41.000000000 +0300
@@ -260,6 +260,9 @@
     var onsymlink = function () {
       if (win32) return next() // skip symlinks on win for now before it can be tested
       xfs.unlink(name, function () {
+        var dst = path.resolve(path.dirname(name), header.linkname)
+        if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid symlink'))
+
         xfs.symlink(header.linkname, name, stat)
       })
     }
@@ -269,13 +272,17 @@
       xfs.unlink(name, function () {
         var srcpath = path.join(cwd, path.join('/', header.linkname))
 
-        xfs.link(srcpath, name, function (err) {
-          if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
-            stream = xfs.createReadStream(srcpath)
-            return onfile()
-          }
+        xfs.realpath(srcpath, function (err, dst) {
+          if (err || !dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid hardlink'))
+
+          xfs.link(dst, name, function (err) {
+            if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+              stream = xfs.createReadStream(srcpath)
+              return onfile()
+            }
 
-          stat(err)
+            stat(err)
+          })
         })
       })
     }
diff -Nru node-tar-fs-2.1.1/package.json node-tar-fs-2.1.3/package.json
--- node-tar-fs-2.1.1/package.json	2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/package.json	2025-05-22 22:22:41.000000000 +0300
@@ -1,6 +1,6 @@
 {
   "name": "tar-fs",
-  "version": "2.1.1",
+  "version": "2.1.3",
   "description": "filesystem bindings for tar-stream",
   "dependencies": {
     "chownr": "^1.1.1",
diff -Nru node-tar-fs-2.1.1/test/index.js node-tar-fs-2.1.3/test/index.js
--- node-tar-fs-2.1.1/test/index.js	2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/test/index.js	2025-05-22 22:22:41.000000000 +0300
@@ -304,7 +304,7 @@
   fs.createReadStream(a)
     .pipe(tar.extract(out))
     .on('error', function (err) {
-      t.ok(/is not a valid path/i.test(err.message))
+      t.ok(/is not a valid symlink/i.test(err.message))
       fs.stat(path.join(out, '../bar'), function (err) {
         t.ok(err)
         t.end()
Reply to: