Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HIGH] Arbitrary File Overwrite -- need a fix by May 10, 2019 #2821

Closed
Tracked by #137
rjayasekera opened this issue Apr 11, 2019 · 12 comments · Fixed by #3003
Closed
Tracked by #137

[HIGH] Arbitrary File Overwrite -- need a fix by May 10, 2019 #2821

rjayasekera opened this issue Apr 11, 2019 · 12 comments · Fixed by #3003
Assignees
Milestone

Comments

@rjayasekera
Copy link
Contributor

rjayasekera commented Apr 11, 2019

https://app.snyk.io/vuln/SNYK-JS-TAR-174125

Overview
tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.

Detailed paths and remediation
Introduced through: fec-cms@1.0.0 › npm@6.8.0 › libnpm@2.0.1 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1
Remediation: No remediation path available.
Introduced through: fec-cms@1.0.0 › npm@6.8.0 › libcipm@3.0.3 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1
Remediation: No remediation path available.
Introduced through: fec-cms@1.0.0 › npm@6.8.0 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1
Remediation: No remediation path available.
Introduced through: fec-cms@1.0.0 › npm@6.8.0 › node-gyp@3.8.0 › tar@2.2.1
Remediation: No remediation path available.

Remediation
Upgrade tar to version 4.4.2 or higher.

@rfultz
Copy link
Contributor

rfultz commented Apr 16, 2019

The five vulnerabilities (listed below) all stem from the version of tar that node-gyp is using.
npm > libcipm > npm-lifecycle > node-gyp > tar
npm > libnpm > npm-lifecycle > node-gyp > tar
npm > node-gyp > tar
npm > npm-lifecycle > node-gyp > tar
gulp-sass > node-sass > node-gyp > tar

There's a fix coming soon with this PR. I've watched the conversation and will check each day, just in case.

@rfultz
Copy link
Contributor

rfultz commented Apr 17, 2019

node-gyp 1713 has been merged into their codebase but only addresses node-gyp 4+. We're using 3.8.0, which is being addressed with their 1718. I'm keeping an eye on it.

@rfultz
Copy link
Contributor

rfultz commented Apr 18, 2019

Update: Recent conversation is about how to handle the version number (the change would be a breaking change for some so it should be a major version change, but some want to leave the number the same, which would require manual updates for everyone who's already using the current version).

@rfultz
Copy link
Contributor

rfultz commented Apr 22, 2019

This item has been added to the agenda of the next Node.js Technical Steering Committee. Seems like some confusion over who 'owns' node-gyp and the few people who can publish it to npm have gone inactive. The next TSC meeting is Wednesday, 24 April.

@rfultz
Copy link
Contributor

rfultz commented Apr 23, 2019

Continuing discussion on the boards. Seems like there's some movement but there are those who aren't convinced this issue's (disputed) severity is worth dropping support for older versions of Node.

@rfultz
Copy link
Contributor

rfultz commented Apr 23, 2019

There's some push-back that the fix shouldn't be inside node-gyp itself but inside node-tar. There's a new issue: isaacs/node-tar#212

@rfultz
Copy link
Contributor

rfultz commented Apr 24, 2019

The only progress is that the 1718 ticket has been closed and now the work is back with node-tar (as it should be). The node-tar team isn't interested in supporting such outdated versions of Node (<1.0) but is open to others doing that work and submitting PRs. We're using the latest Node (10.15.1) so aren't affected by that conversation apart from it's still a conversation rather than a decision or progress.

The 212 link above is still the most recent.

@rfultz
Copy link
Contributor

rfultz commented Apr 25, 2019

The advisory explains "Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file."

The offending code is inside the node-tar package pre-4.4.2.
node-tar is at 4.4.8. 4.4.2 was released on 30 April 2018.
releases

node-gyp currently requires tar < 4.4.2.
They've updated their code but it's still working its way to production.
issue

node-sass uses node-gyp
Updating node-gyp could be a breaking change for them so they're getting their strategy together.
issue

gulp-sass uses node-sass
They're waiting for node-sass to do their thing.
issue

npm-lifecycle uses node-gyp
Could be updated when node-gyp releases their fix.
issue

libnpm uses npm-lifecycle
repo

libcipm uses npm-lifecyce
repo

npm uses npm-lifecycle, node-gyp, libnpm, and libcipm
repo

@AmyKort
Copy link

AmyKort commented May 16, 2019

Is this blocked?

@rfultz
Copy link
Contributor

rfultz commented May 16, 2019

Yeah, we're waiting on updates from the node-sass team. It's not much of a risk for us so it's a lower priority; I'm keeping an eye on it. There was a release yesterday but we're still not seeing it.

@dorothyyeager
Copy link
Contributor

Still waiting on others.

@dorothyyeager dorothyyeager modified the milestones: Sprint 9.1, Sprint 9.2 Jun 4, 2019
@dorothyyeager
Copy link
Contributor

Moving to 9.4; PR needs review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants