A vulnerability was found in nodejs-tar before version 4.4.2. An Arbitrary File Overwrite when extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file. References: https://hackerone.com/reports/344595 Upstream Patch: https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
Created nodejs-tar tracking bugs for this issue: Affects: epel-all [bug 1702339] Affects: fedora-all [bug 1702340]
Raised the CVSS score to CIA:HHH as the specially crafted tar file could overwrite files that would allow an attacker to execute code on the victim's machine as his user.
Red Hat Software Collection Node.js 10 (rh-nodejs10-nodejs) is not affected by this flaw because it already contains the patched code.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20834
External References: https://hackerone.com/reports/344595