[Security] Bump tar from 6.1.11 to 6.2.1
Bumps tar from 6.1.11 to 6.2.1. This update includes a security fix.
Vulnerabilities fixed
Denial of service while parsing a tar file due to lack of folders count validation
Description:
During some analysis today on npm's
node-tar
package I came across the folder creation process, Basicly if you provide node-tar with a path like this./a/b/c/foo.txt
it would create every folder and sub-folder here a, b and c until it reaches the last folder to createfoo.txt
, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders insideSteps To Reproduce:
You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video
Proof Of Concept:
Here's a video show-casing the exploit:
Impact
Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources
Report resources
Note
This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago
Patched versions: 6.2.1 Affected versions: < 6.2.1
Release notes
Sourced from tar's releases.
v6.1.13
6.1.13 (2022-12-07)
Dependencies
v6.1.12
6.1.12 (2022-10-31)
Bug Fixes
57493ee
#332 ensuring close event is emited after stream has ended (@webark
)b003c64
#314 replace deprecated String.prototype.substr() (#314) (@CommanderRoot
,@lukekarrys
)Documentation
Changelog
Sourced from tar's changelog.
Changelog
6.2
- Add support for brotli compression
6.1.13 (2022-12-07)
Dependencies
6.1.12 (2022-10-31)
Bug Fixes
57493ee
#332 ensuring close event is emited after stream has ended (@webark
)b003c64
#314 replace deprecated String.prototype.substr() (#314) (@CommanderRoot
,@lukekarrys
)Documentation
f129929
#313 remove dead link to benchmarks (#313) (@yetzt
)c1faa9f
add examples/explanation of using tar.t (@isaacs
)6.0
- Drop support for node 6 and 8
- fix symlinks and hardlinks on windows being packed with
\
-style path targets5.0
- Address unpack race conditions using path reservations
- Change large-numbers errors from TypeError to Error
- Add
TAR_*
error codes- Raise
TAR_BAD_ARCHIVE
warning/error when there are no valid entries found in an archive- do not treat ignored entries as an invalid archive
- drop support for node v4
- unpack: conditionally use a file mapping to write files on Windows
- Set more portable 'mode' value in portable mode
- Set
portable
gzip option in portable mode4.4
- Add 'mtime' option to tar creation to force mtime
- unpack: only reuse file fs entries if nlink = 1
- unpack: rename before unlinking files on Windows
- Fix encoding/decoding of base-256 numbers
- Use
stat
instead oflstat
when checking CWD
... (truncated)
Commits
-
bef7b1e
6.2.1 -
fe8cd57
prevent extraction in excessively deep subfolders -
fe7ebfd
remove security.md -
5bc9d40
6.2.0 -
fe1ef5e
changelog 6.2 -
e483220
get rid of npm lint stuff -
689928a
ci that works outside of npm org -
db6f539
file inference improvements for .tbr and .tgz -
336fa8f
refactor: dry and other pr comments -
eeba222
chore: lint fixes - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts