include-media-spread
include-media-spread copied to clipboard
jackmcpickle
[Security] Bump tar from 6.0.5 to 6.1.3
⚠️ Dependabot is rebasing this PR ⚠️
If you make any changes to it yourself then they will take precedence over the rebase.
Bumps tar from 6.0.5 to 6.1.3. This update includes security fixes.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-taraims to prevent extraction of absolute file paths by turning absolute paths into relative paths when thepreservePathsflag is not set totrue. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example/home/user/.bashrcwould turn intohome/user/.bashrc.This logic was insufficient when file paths contained repeated path roots such as
////home/user/.bashrc.node-tarwould only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g.///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.Patches
3.2.2 || 4.4.14 || 5.0.6 || 6.1.1
NOTE: an adjacent issue CVE-2021-32803 affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your
node-taruse case.Workarounds
Users may work around this vulnerability without upgrading by creating a custom
onentrymethod which sanitizes theentry.pathor afiltermethod which removes entries with absolute paths.const path = require('path') </tr></table>
... (truncated)
Affected versions: >= 6.0.0 < 6.1.1
Sourced from The GitHub Security Advisory Database.
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
node-taraims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessarystatcalls to determine whether a given path is a directory, paths are cached when directories are created.This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the
node-tardirectory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also wherenode-tarchecks for symlinks occur.By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass
node-tarsymlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Patches
3.2.3 || 4.4.15 || 5.0.7 || 6.1.2
Workarounds
Users may work around this vulnerability without upgrading by creating a custom
filtermethod which prevents the extraction of symbolic links.
... (truncated)
Affected versions: >= 6.0.0 < 6.1.2
Commits
0b783866.1.356c24b0fix: properly handle top-level files when using strip8d75229ci: Create codeql workflow3f7b2006.1.29dbdeb6Remove paths from dirCache when no longer dirs1e335346.1.11f036cafix: strip absolute paths more comprehensively1b94260tap@15259e6496.1.02d83d5bAdd the noChmod option- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebasewill rebase this PR -
@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it -
@dependabot mergewill merge this PR after your CI passes on it -
@dependabot squash and mergewill squash and merge this PR after your CI passes on it -
@dependabot cancel mergewill cancel a previously requested merge and block automerging -
@dependabot reopenwill reopen this PR if it is closed -
@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and language -
@dependabot badge mewill comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "Published by a pub.dev verified publisher"){kind=small}
