Bug 2293200 (CVE-2024-28863)

Summary: CVE-2024-28863 node-tar: denial of service while parsing a tar file due to lack of folders depth validation
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, akostadi, amasferr, amctagga, anjoseph, asoldano, bbaranow, bbuckingham, bdettelb, bmaxwell, boliveir, brian.stansberry, caswilli, cbartlet, cdaley, cdewolf, chazlett, cmiranda, darran.lofthouse, dfreiber, dhanak, dkreling, dkuc, dmayorov, dosoudil, dpalmer, drichtar, drow, dsimansk, dymurray, eaguilar, ebaron, ecerquei, ehelms, fjansen, fjuma, ggainey, gkamathe, gmalinko, gparvin, gtanzill, hhorak, hkataria, ibek, ibolton, ivassile, iweiss, janstey, jburrell, jcantril, jchui, jkang, jkoehler, jkoops, jlledo, jmatthew, jmontleo, jorton, jpallich, jprabhak, jrokos, jshaughn, juwatts, jwendell, kaycoth, kingland, kshier, ktsao, kverlaen, lbainbri, lgao, matzew, mhulan, mkudlej, mmakovy, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nbecker, nboldt, njean, nmoumoul, nodejs-maint, nwallace, orabin, owatkins, pahickey, parichar, pcongius, pcreech, pdelbell, pdrozd, peholase, pgaikwad, pierdipi, pjindal, pmackay, pskopek, rcernich, rchan, rgarg, rguimara, rhaigner, rhuss, rjohnson, rmartinc, rowaters, rstancel, rstepani, rtaniwa, sdawley, sfroberg, sipoyare, slucidi, smaestri, sseago, sthorger, tasato, tjochec, tkral, tom.jenkinson, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: node-tar 6.2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ISAACS's node-tar, where it is vulnerable to a denial of service, caused by the lack of folder count validation. The vulnerability exists due to the application not properly controlling the consumption of internal resources while parsing a tar file. By sending a specially crafted request, a remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2293210, 2293211, 2293212, 2293213, 2293214, 2293216, 2293217, 2293218, 2293219, 2293220, 2293221, 2293238, 2293255, 2293256, 2293257, 2293258, 2299178, 2299179, 2299180, 2310139, 2310140, 2310153, 2310154, 2311072, 2311074, 2311076, 2311078, 2311081, 2311082, 2311083, 2311084, 2311086    
Bug Blocks: 2293261    

Description TEJ RATHI 2024-06-20 09:18:22 UTC 
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
https://security.netapp.com/advisory/ntap-20240524-0005/
Comment 1 TEJ RATHI 2024-06-20 10:31:36 UTC 
Created nodejs18 tracking bugs for this issue:

Affects: fedora-39 [bug 2293213]
Affects: fedora-40 [bug 2293218]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-39 [bug 2293214]
Affects: fedora-40 [bug 2293219]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2293210]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2293211]


Created rstudio tracking bugs for this issue:

Affects: fedora-39 [bug 2293216]
Affects: fedora-40 [bug 2293220]


Created yarnpkg tracking bugs for this issue:

Affects: epel-8 [bug 2293212]
Affects: fedora-39 [bug 2293217]
Affects: fedora-40 [bug 2293221]
Comment 20 errata-xmlrpc 2024-07-17 13:25:01 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:4591 https://access.redhat.com/errata/RHSA-2024:4591
Comment 21 errata-xmlrpc 2024-08-26 08:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5814 https://access.redhat.com/errata/RHSA-2024:5814
Comment 23 errata-xmlrpc 2024-09-03 02:22:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6147 https://access.redhat.com/errata/RHSA-2024:6147
Comment 24 errata-xmlrpc 2024-09-03 02:24:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6148 https://access.redhat.com/errata/RHSA-2024:6148
Comment 25 errata-xmlrpc 2024-09-18 11:58:03 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755
Comment 26 errata-xmlrpc 2024-09-26 03:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:7164 https://access.redhat.com/errata/RHSA-2024:7164
Comment 28 errata-xmlrpc 2024-11-05 17:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906