Bug 1990409 (CVE-2021-32804)

Summary: CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alegrand, amuller, anpicker, aos-bugs, bdettelb, bmontgom, caswilli, chazlett, drieden, eparis, erooth, etamir, extras-orphan, ggaughan, gghezzo, gmalinko, gparvin, hhorak, hvyas, janstey, jburrell, jochrist, jokerman, jorton, jramanat, jwendell, jwon, kakkoyun, kaycoth, kconner, nbecker, nodejs-maint, nodejs-sig, nstielau, ocs-bugs, pkrupa, rcernich, rfreiman, spasquie, sponnaga, stcannon, tchollingsworth, thrcka, tomckay, twalsh, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-tar 3.2.2, nodejs-tar 4.4.14, nodejs-tar 5.0.6, nodejs-tar 6.1.1 Doc Type: If docs needed, set a value
Doc Text:
The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-26 15:35:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1993959, 1990410, 1991760, 1991982, 1991983, 1991984, 1991985, 1991986, 1991987, 1991988, 1991989, 1992289, 1992290, 1992291, 1992292, 1992293, 1993401, 1993939, 1993940, 1993941, 1993942, 1993943, 1994406, 1994407, 1994408, 1994409, 1994496, 1994498, 1995344, 2000548, 2004989, 2020106, 2020108, 2020109, 2020110, 2020112    
Bug Blocks: 1990418    

Description Dhananjay Arunesh 2021-08-05 10:57:29 UTC
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

References:
https://www.npmjs.com/advisories/1770
https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
https://www.npmjs.com/package/tar

Comment 1 Dhananjay Arunesh 2021-08-05 10:57:56 UTC
Created nodejs-tar tracking bugs for this issue:

Affects: fedora-all [bug 1990410]

Comment 10 Cedric Buissart 2021-08-16 13:07:22 UTC
Created nodejs-tar tracking bugs for this issue:

Affects: epel-7 [bug 1993959]

Comment 14 errata-xmlrpc 2021-08-26 10:15:25 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 15 errata-xmlrpc 2021-08-26 10:18:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 16 Product Security DevOps Team 2021-08-26 15:35:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32804

Comment 18 errata-xmlrpc 2021-09-21 13:12:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623

Comment 19 errata-xmlrpc 2021-09-22 08:51:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 20 errata-xmlrpc 2021-09-22 09:00:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638

Comment 22 errata-xmlrpc 2021-09-27 07:29:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666

Comment 24 errata-xmlrpc 2021-11-11 18:32:17 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618

Comment 25 errata-xmlrpc 2021-12-13 17:44:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8

Via RHSA-2021:5086 https://access.redhat.com/errata/RHSA-2021:5086