Debian Buster DLA-3237-1 Critical: Node-Tar Cache Poisoning Threat
debian lts
December 12, 2022
Cache poisoning vulnerabilities were found in node-tar, a Node.js module used to read and write portable tar archives, which may result in arbitrary file creation or overwrite
Topics Covered
Summary
CVE-2021-37701
It was discovered that node-tar performed insufficient symlink
protection, thereby making directory cache vulnerable to poisoning
using symbolic links.
Upon extracting an archive containing a directory 'foo/bar' followed
with a symbolic link 'foo\\bar' to an arbitrary location, node-tar
would extract arbitrary files into the symlink target, thus allowing
arbitrary file creation and overwrite.
Moreover, on case-insensitive filesystems, a similar issue occurred
with a directory 'FOO' followed with a symbolic link 'foo'.
CVE-2021-37712
Similar to CVE-2021-37701, a specially crafted tar archive
containing two directories and a symlink with names containing
unicode values that normalized to the same value, would bypass
node-tar's symlink checks on directories, thus allowing arbitrary
file creation and overwrite.
For Debian 10 buster, these problems have been fixed in version
4.4.6+ds1-3+deb10u2.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: node-tar
Version: 4.4.6+ds1-3+deb10u2
CVE ID: CVE-2021-37701 CVE-2021-37712
Debian Bug: 993981
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!