[HIGH] Arbitrary File Overwrite -- need a fix by May 10, 2019 #2821
Comments
|
The five vulnerabilities (listed below) all stem from the version of tar that node-gyp is using. There's a fix coming soon with this PR. I've watched the conversation and will check each day, just in case. |
|
Update: Recent conversation is about how to handle the version number (the change would be a breaking change for some so it should be a major version change, but some want to leave the number the same, which would require manual updates for everyone who's already using the current version). |
|
This item has been added to the agenda of the next Node.js Technical Steering Committee. Seems like some confusion over who 'owns' node-gyp and the few people who can publish it to npm have gone inactive. The next TSC meeting is Wednesday, 24 April. |
|
Continuing discussion on the boards. Seems like there's some movement but there are those who aren't convinced this issue's (disputed) severity is worth dropping support for older versions of Node. |
|
There's some push-back that the fix shouldn't be inside node-gyp itself but inside node-tar. There's a new issue: isaacs/node-tar#212 |
|
The only progress is that the 1718 ticket has been closed and now the work is back with node-tar (as it should be). The node-tar team isn't interested in supporting such outdated versions of Node (<1.0) but is open to others doing that work and submitting PRs. We're using the latest Node (10.15.1) so aren't affected by that conversation apart from it's still a conversation rather than a decision or progress. The 212 link above is still the most recent. |
|
The advisory explains "Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file." The offending code is inside the
|
|
Is this blocked? |
|
Yeah, we're waiting on updates from the node-sass team. It's not much of a risk for us so it's a lower priority; I'm keeping an eye on it. There was a release yesterday but we're still not seeing it. |
|
Still waiting on others. |
|
Moving to 9.4; PR needs review. |
https://app.snyk.io/vuln/SNYK-JS-TAR-174125
Overview
tar is a full-featured Tar for Node.js.
Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.
Detailed paths and remediation
Introduced through:fec-cms@1.0.0 › npm@6.8.0 › libnpm@2.0.1 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:No remediation path available.Introduced through:fec-cms@1.0.0 › npm@6.8.0 › libcipm@3.0.3 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:No remediation path available.Introduced through:fec-cms@1.0.0 › npm@6.8.0 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:No remediation path available.Introduced through:fec-cms@1.0.0 › npm@6.8.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:No remediation path available.Remediation
Upgrade tar to version 4.4.2 or higher.
The text was updated successfully, but these errors were encountered: