Bug 1990409 (CVE-2021-32804) - CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
Summary: CVE-2021-32804 nodejs-tar: Insufficient absolute path sanitization allowing a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-32804
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1990410 1992289 1992291 1992292 1992293 1993401 1993942 1993943 1993959 1995344 2000548 2004989 1991760 1991982 1991983 1991984 1991985 1991986 1991987 1991988 1991989 1992290 1993939 1993940 1993941 1994406 1994407 1994408 1994409 1994496 1994498 2020106 2020108 2020109 2020110 2020112
Blocks: 1990418
TreeView+ depends on / blocked
 
Reported: 2021-08-05 10:57 UTC by Dhananjay Arunesh
Modified: 2021-11-18 10:45 UTC (History)
45 users (show)

Fixed In Version: nodejs-tar 3.2.2, nodejs-tar 4.4.14, nodejs-tar 5.0.6, nodejs-tar 6.1.1
Doc Type: If docs needed, set a value
Doc Text:
The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file.
Clone Of:
Environment:
Last Closed: 2021-08-26 15:35:02 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:21 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:33:01 UTC
Red Hat Product Errata RHBA-2021:4731 0 None None None 2021-11-18 10:45:12 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:18:58 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:29 UTC
Red Hat Product Errata RHSA-2021:3623 0 None None None 2021-09-21 13:12:35 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:00:57 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:40 UTC
Red Hat Product Errata RHSA-2021:3666 0 None None None 2021-09-27 07:29:08 UTC
Red Hat Product Errata RHSA-2021:4618 0 None None None 2021-11-11 18:32:19 UTC

Description Dhananjay Arunesh 2021-08-05 10:57:29 UTC
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

References:
https://www.npmjs.com/advisories/1770
https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
https://www.npmjs.com/package/tar

Comment 1 Dhananjay Arunesh 2021-08-05 10:57:56 UTC
Created nodejs-tar tracking bugs for this issue:

Affects: fedora-all [bug 1990410]

Comment 10 Cedric Buissart 2021-08-16 13:07:22 UTC
Created nodejs-tar tracking bugs for this issue:

Affects: epel-7 [bug 1993959]

Comment 14 errata-xmlrpc 2021-08-26 10:15:25 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 15 errata-xmlrpc 2021-08-26 10:18:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 16 Product Security DevOps Team 2021-08-26 15:35:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32804

Comment 18 errata-xmlrpc 2021-09-21 13:12:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623

Comment 19 errata-xmlrpc 2021-09-22 08:51:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 20 errata-xmlrpc 2021-09-22 09:00:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638

Comment 22 errata-xmlrpc 2021-09-27 07:29:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666

Comment 24 errata-xmlrpc 2021-11-11 18:32:17 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618


Note You need to log in before you can comment on or make changes to this bug.