[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1107568: marked as done (bookworm-pu: package node-tar-fs/2.1.3-0+deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1107568,
regarding bookworm-pu: package node-tar-fs/2.1.3-0+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107568: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107568
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>

  * New upstream release.
    - CVE-2024-12905: symlink path traversal (Closes: #1101501)
    - CVE-2025-48387: hardlink path traversal

The two new upstream releases contain each just one CVE fix.

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for node-tar-fs-2.1.1 node-tar-fs-2.1.3

 debian/changelog |    9 +++++++++
 index.js         |   19 +++++++++++++------
 package.json     |    2 +-
 test/index.js    |    2 +-
 4 files changed, 24 insertions(+), 8 deletions(-)

diff -Nru node-tar-fs-2.1.1/debian/changelog node-tar-fs-2.1.3/debian/changelog
--- node-tar-fs-2.1.1/debian/changelog	2021-11-02 18:56:17.000000000 +0200
+++ node-tar-fs-2.1.3/debian/changelog	2025-06-09 22:02:36.000000000 +0300
@@ -1,3 +1,12 @@
+node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release.
+    - CVE-2024-12905: symlink path traversal (Closes: #1101501)
+    - CVE-2025-48387: hardlink path traversal
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 09 Jun 2025 22:02:36 +0300
+
 node-tar-fs (2.1.1-6) unstable; urgency=medium
 
   * Team upload
diff -Nru node-tar-fs-2.1.1/index.js node-tar-fs-2.1.3/index.js
--- node-tar-fs-2.1.1/index.js	2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/index.js	2025-05-22 22:22:41.000000000 +0300
@@ -260,6 +260,9 @@
     var onsymlink = function () {
       if (win32) return next() // skip symlinks on win for now before it can be tested
       xfs.unlink(name, function () {
+        var dst = path.resolve(path.dirname(name), header.linkname)
+        if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid symlink'))
+
         xfs.symlink(header.linkname, name, stat)
       })
     }
@@ -269,13 +272,17 @@
       xfs.unlink(name, function () {
         var srcpath = path.join(cwd, path.join('/', header.linkname))
 
-        xfs.link(srcpath, name, function (err) {
-          if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
-            stream = xfs.createReadStream(srcpath)
-            return onfile()
-          }
+        xfs.realpath(srcpath, function (err, dst) {
+          if (err || !dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid hardlink'))
+
+          xfs.link(dst, name, function (err) {
+            if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+              stream = xfs.createReadStream(srcpath)
+              return onfile()
+            }
 
-          stat(err)
+            stat(err)
+          })
         })
       })
     }
diff -Nru node-tar-fs-2.1.1/package.json node-tar-fs-2.1.3/package.json
--- node-tar-fs-2.1.1/package.json	2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/package.json	2025-05-22 22:22:41.000000000 +0300
@@ -1,6 +1,6 @@
 {
   "name": "tar-fs",
-  "version": "2.1.1",
+  "version": "2.1.3",
   "description": "filesystem bindings for tar-stream",
   "dependencies": {
     "chownr": "^1.1.1",
diff -Nru node-tar-fs-2.1.1/test/index.js node-tar-fs-2.1.3/test/index.js
--- node-tar-fs-2.1.1/test/index.js	2020-11-06 20:43:33.000000000 +0200
+++ node-tar-fs-2.1.3/test/index.js	2025-05-22 22:22:41.000000000 +0300
@@ -304,7 +304,7 @@
   fs.createReadStream(a)
     .pipe(tar.extract(out))
     .on('error', function (err) {
-      t.ok(/is not a valid path/i.test(err.message))
+      t.ok(/is not a valid symlink/i.test(err.message))
       fs.stat(path.join(out, '../bar'), function (err) {
         t.ok(err)
         t.end()

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: