-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HIGH] Arbitrary File Overwrite -- need a fix by May 10, 2019 #2821
Comments
The five vulnerabilities (listed below) all stem from the version of tar that node-gyp is using. There's a fix coming soon with this PR. I've watched the conversation and will check each day, just in case. |
Update: Recent conversation is about how to handle the version number (the change would be a breaking change for some so it should be a major version change, but some want to leave the number the same, which would require manual updates for everyone who's already using the current version). |
This item has been added to the agenda of the next Node.js Technical Steering Committee. Seems like some confusion over who 'owns' node-gyp and the few people who can publish it to npm have gone inactive. The next TSC meeting is Wednesday, 24 April. |
Continuing discussion on the boards. Seems like there's some movement but there are those who aren't convinced this issue's (disputed) severity is worth dropping support for older versions of Node. |
There's some push-back that the fix shouldn't be inside node-gyp itself but inside node-tar. There's a new issue: isaacs/node-tar#212 |
The only progress is that the 1718 ticket has been closed and now the work is back with node-tar (as it should be). The node-tar team isn't interested in supporting such outdated versions of Node (<1.0) but is open to others doing that work and submitting PRs. We're using the latest Node (10.15.1) so aren't affected by that conversation apart from it's still a conversation rather than a decision or progress. The 212 link above is still the most recent. |
The advisory explains "Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file." The offending code is inside the
|
Is this blocked? |
Yeah, we're waiting on updates from the node-sass team. It's not much of a risk for us so it's a lower priority; I'm keeping an eye on it. There was a release yesterday but we're still not seeing it. |
Still waiting on others. |
Moving to 9.4; PR needs review. |
https://app.snyk.io/vuln/SNYK-JS-TAR-174125
Overview
tar is a full-featured Tar for Node.js.
Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.
Detailed paths and remediation
Introduced through:
fec-cms@1.0.0 › npm@6.8.0 › libnpm@2.0.1 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:
No remediation path available.Introduced through:
fec-cms@1.0.0 › npm@6.8.0 › libcipm@3.0.3 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:
No remediation path available.Introduced through:
fec-cms@1.0.0 › npm@6.8.0 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:
No remediation path available.Introduced through:
fec-cms@1.0.0 › npm@6.8.0 › node-gyp@3.8.0 › tar@2.2.1Remediation:
No remediation path available.Remediation
Upgrade tar to version 4.4.2 or higher.
The text was updated successfully, but these errors were encountered: