Debian alert DLA-4552-1 (node-tar)
| From: | Daniel Leidert <dleidert@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4552-1] node-tar security update | |
| Date: | Wed, 29 Apr 2026 05:09:01 +0200 | |
| Message-ID: | <66a28fa5ba8016e1fa243ee6fa13f463b780c641.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4552-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert April 29, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : node-tar Version : 6.0.5+ds1+~cs11.3.9-1+deb11u3 CVE ID : CVE-2024-28863 CVE-2026-23745 CVE-2026-24842 CVE-2026-26960 CVE-2026-29786 CVE-2026-31802 Multiple vulnerabilities have been discovered in node-tar, a Node.js module to read and write portable tar archives. CVE-2024-28863 Generating a large number of sub-folders can consume memory on the system and even crash the Node.js client within a few seconds using a path with too many sub-folders inside. CVE-2026-23745 When preservePaths is false, the linkpath of Link (hardlink) and SymbolicLink entries fail to be sanitized, allowing malicious archives to bypass the extraction root restriction, leading to arbitrary file overwrites via hardlinks and symlink poisoning via absolute symlink targets. The fix for this issue introduces multiple of the following vulnerabilties. CVE-2026-24842 The security check for hardlink entries allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. CVE-2026-26960 An attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. CVE-2026-29786 An attacker-controlled archive can create a hardlink that points outside the extraction directory by using a drive-relative link target. CVE-2026-31802 An attacker-controlled archive can create a hardlink that points outside the extraction directory by using a drive-relative link target. For Debian 11 bullseye, these problems have been fixed in version 6.0.5+ds1+~cs11.3.9-1+deb11u3. We recommend that you upgrade your node-tar packages. For the detailed security status of node-tar please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-tar Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmnxdk0UHGRsZWlkZXJ0 QGRlYmlhbi5vcmcACgkQS80FZ8KW0F3S9A/+MlXyRiGT2Qyuk+RBCp33KAqI4/Hj kuIJAfh27wInVBsp3cpKHV7lSc+CRuy8PMTToCCE7XqgO0naO3ATQsZR4klzCBWw DN0y9C6jXCRfQ7HOHaF4C0j+20LmJWmxF9lsnix/h88eFlTU/P+gydPT+mEpJPtT Xcm9/AeLqTWiPEeHMc8RyUBjrQtqRrbagWyimeb38Eh5QAcTlwaCM5gq1qt7HqJ5 nQTlECHVJsInxGKFcOnvKF4MhBT9DUm5UujhWm5N8igRAFgtyx4SKAsfMHa7a4ry 9q2sSFDXYWV4aOKJhhzQRnrzDz6/C5COur8nYZqS8bSiojuA/hiNC3GVEwHqDwFC 1Cnq9VoRMbZ/vQg/pw4NBQsGOSW4v1M+kBZQXSxOMFSsnP7GR3MGk3XUZCX9s0Jl eK7NeWS2nDjSXj8j/FNgsK3/5Yrp9DltSJgwQXTQF/lVLTOuepld4U5iQIcaZYo3 CYCJX5PNA2yL+8rdm6BFPz5lN7jTsXb70cVf4ZjNhsP0KqVGndjV7eD1QUnAQWst jzDMNpWDMgGLn5lZaCzbQv5X0yiDEc192KWqZDQeDmpnkMZaCX868UqVK0NBcoEm iX0tpZBj7qpra08/rhwMPSdtsiUHEKecyXemclG4CM/Y3UATPX+s/2OeZiALve4x 3YTwACQYi47/5Ck= =PBD1 -----END PGP SIGNATURE-----