Bug 1990415 (CVE-2021-32803) - CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
Summary: CVE-2021-32803 nodejs-tar: Insufficient symlink protection allowing arbitrary...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-32803
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1990416 1992284 1992286 1992287 1992288 1993401 1993949 1993950 1993958 1995345 2000549 2004988 1991761 1991966 1991967 1991968 1991969 1991970 1991971 1991972 1991973 1992285 1993946 1993947 1993948 1994402 1994403 1994404 1994405 1994497 1994499 2020114 2020115 2020116 2020117 2020118
Blocks: 1990418
TreeView+ depends on / blocked
 
Reported: 2021-08-05 11:02 UTC by Dhananjay Arunesh
Modified: 2021-11-18 10:45 UTC (History)
45 users (show)

Fixed In Version: nodejs-tar 3.2.3, nodejs-tar 4.4.15, nodejs-tar 5.0.7, nodejs-tar 6.1.2
Doc Type: If docs needed, set a value
Doc Text:
The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.
Clone Of:
Environment:
Last Closed: 2021-08-26 15:35:08 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:21 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:33:02 UTC
Red Hat Product Errata RHBA-2021:4731 0 None None None 2021-11-18 10:45:13 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:19:02 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:31 UTC
Red Hat Product Errata RHSA-2021:3623 0 None None None 2021-09-21 13:12:44 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:01:03 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:41 UTC
Red Hat Product Errata RHSA-2021:3666 0 None None None 2021-09-27 07:29:11 UTC
Red Hat Product Errata RHSA-2021:4618 0 None None None 2021-11-11 18:32:22 UTC

Description Dhananjay Arunesh 2021-08-05 11:02:49 UTC
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

References:
https://www.npmjs.com/advisories/1771
https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20
https://www.npmjs.com/package/tar

Comment 1 Dhananjay Arunesh 2021-08-05 11:03:24 UTC
Created nodejs-tar tracking bugs for this issue:

Affects: fedora-all [bug 1990416]

Comment 10 Cedric Buissart 2021-08-16 13:07:11 UTC
Created nodejs-tar tracking bugs for this issue:

Affects: epel-7 [bug 1993958]

Comment 14 errata-xmlrpc 2021-08-26 10:15:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281

Comment 15 errata-xmlrpc 2021-08-26 10:18:58 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280

Comment 16 Product Security DevOps Team 2021-08-26 15:35:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32803

Comment 18 errata-xmlrpc 2021-09-21 13:12:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623

Comment 19 errata-xmlrpc 2021-09-22 08:51:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639

Comment 20 errata-xmlrpc 2021-09-22 09:00:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638

Comment 22 errata-xmlrpc 2021-09-27 07:29:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666

Comment 24 errata-xmlrpc 2021-11-11 18:32:20 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618


Note You need to log in before you can comment on or make changes to this bug.