1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108872: unblock: node-tar-fs/3.0.9+~cs2.0.4-1

    From Yadd@1:229/2 to All on Sun Jul 6 17:30:01 2025
    XPost: linux.debian.devel.release
    From: [email protected]

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected], [email protected], [email protected]
    Control: affects -1 + src:node-tar-fs
    User: [email protected]
    Usertags: unblock


    [ Reason ]
    node-tar-fs is vulnerable to CVE-2025-48387: it may extarct files
    outside the specified directory.

    [ Impact ]
    Medium security issue

    [ Tests ]
    Tests OK

    [ Risks ]
    Low risk, patch is trivial

    [ Checklist ]
    [X] all changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in testing

    [ Other info ]
    In this release, upstream choose another test framework not available in Debian. Then I added a patch to use "tape" which is available. This permits
    to drop useless test modules previously embedded.

    That's why I added 2 debdiff here:
    - the global debdiff
    - a debdiff that shows only changes related to installed files

    Best regards,
    Xavier

    unblock node-tar-fs/3.0.9+~cs2.0.4-1

    [SoupGate killed MIME-encoded file node-tar-fs_3.0.9+~cs2.0.4-1.debdiff (184923 bytes)]
    diff --git a/debian/changelog b/debian/changelog
    index b01fb20..a93913e 100644
    --- a/debian/changelog
    +++ b/debian/changelog
    @@ -1,3 +1,11 @@
    +node-tar-fs (3.0.9+~cs2.0.4-1) unstable; urgency=medium
    +
    + * Team upload
    + * Keep previous test from 2.1.1 with tape
    + * New upstream version (Closes: CVE-2025-48387)
    +
    + -- Yadd <[email protected]> Tue, 03 Jun 2025 17:33:46 +0200
    +
    node-tar-fs (3.0.8+~cs2.0.4-1) unstable; urgency=medium

    diff --git a/index.js b/index.js
    index f1e1a6a..5df3665 100644
    --- a/index.js
    +++ b/index.js
    @@ -164,23 +164,23 @@ exports.extract = function extract (cwd, opts) {
    return next()
    }

    - if (header.type === 'directory') {
    - stack.push([name, header.mtime])
    - return mkdirfix(name, {
    - fs: xfs,
    - own,
    - uid: header.uid,
    - gid: header.gid,
    - mode: header.mode
    - }, stat)
    - }
    -
    - const dir = path.dirname(name)
    + const dir = path.join(name, '.') === path.join(cwd, '.') ? cwd : path.dirname(name)

    validate(xfs, dir, path.join(cwd, '.'), function (err, valid