Bug 2033394 (CVE-2021-37713) - CVE-2021-37713 nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Summary: CVE-2021-37713 nodejs-tar: Arbitrary File Creation/Overwrite on Windows via i...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-37713
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1999747
TreeView+ depends on / blocked
 
Reported: 2021-12-16 16:43 UTC by ayambast
Modified: 2021-12-17 17:01 UTC (History)
11 users (show)

Fixed In Version: nodejs-tar 4.4.18, nodejs-tar 5.0.10, nodejs-tar 6.1.9
Clone Of:
Environment:
Last Closed: 2021-12-16 17:26:02 UTC
Embargoed:

Attachments (Terms of Use)

Description ayambast 2021-12-16 16:43:25 UTC 
On Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path.

This only affects users of node-tar on *Windows* systems.

Reference: 
https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
Comment 1 Product Security DevOps Team 2021-12-16 17:26:00 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-37713
Note You need to log in before you can comment on or make changes to this bug.