Ubuntu alert USN-8367-1 (node-tar-fs)
| From: | noreply+usn-bot--- via ubuntu-security-announce <ubuntu-security-announce@lists.ubuntu.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8367-1] tar-fs vulnerabilities | |
| Date: | Tue, 02 Jun 2026 16:07:26 +0000 | |
| Message-ID: | <E1wUReI-0004Gq-8g@lists.ubuntu.com> | |
| Cc: | noreply+usn-bot@canonical.com |
========================================================================== Ubuntu Security Notice USN-8367-1 June 02, 2026 node-tar-fs vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in tar-fs. Software Description: - node-tar-fs: File system bindings for tar-stream Details: It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker could possibly use this issue to write or overwrite files outside the intended extraction directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-12905) It was discovered that tar-fs did not properly validate extraction paths for certain crafted tar archives. An attacker could possibly use this issue to write files outside the intended extraction directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-48387) It was discovered that tar-fs had a symlink validation bypass when extracting crafted tar files. An attacker could possibly use this issue to write files outside the intended extraction directory. (CVE-2025-59343) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 node-tar-fs 3.0.9+~cs2.0.4-1+deb13u1build0.25.10.1 Ubuntu 24.04 LTS node-tar-fs 2.1.1-6ubuntu0.24.04.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS node-tar-fs 2.1.1-6ubuntu0.22.04.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8367-1 CVE-2024-12905, CVE-2025-48387, CVE-2025-59343 Package Information: https://launchpad.net/ubuntu/+source/node-tar-fs/3.0.9+~c...
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoe/tIACgkQcpJm3tlz hgHcThAAonlwReiv5YYnDvugCV1LWpJ2CRQRS4NYVVi8vUcoYiSazGMgAUIcJriU Djd2CR4Ao7HJYnyaaBDQ0uIgxDrvUKrt75gc6U2SJsuW2+8i6+2MRWyf/CmNwKnC Gyf8dlTs/cDVStIRaJyZ3XY2YP3qDTsFosjO6eF4jxk8oli8n8gsasEuoUvv6kut icvm/X/mrwHuaMYmvagMYQH30bqxZ28nO7gJ9sFED4F84hhX9498V1pX0JHF1mDD SOWbb3ibqivWeA6j0iuGtpBfKXUbbl/gOFDiB+TOSpPJp0lqDsvCsvrYfNhQYy+T RW4qcKFHDQZPvpNtceZixALPFJiVw9I4Po4k9g2RoNKMBpX6nsxJfHrc1HIczY35 p4+Wx3Q5qR3UTIyr5SXIZuSw+6ENaeVDBEYLhx+2b0K2oUiBdtnjzv1OaaKs3jQg d2kQiziLeY1dpYySaxU43CQpWWhl/VPF5fP8VgTt+Rs+RfHg7fn5e0RYWgV3TQ/+ upyhpNXVw1sDHYoMN3/urqIQD10tx2YN2GPczNRo4jPjq3GjX+Cc/bNV+wdW+lIu oPag302rLzXXLyr4dzRynZXWuiNfhX5qFCrGE3alX63LlCZtyRIDLSLPx7ct/xhq hUbNaAuF7zO9jT59lLbrrIVDwg8u4T0rMlKZ5L9JwWbdcIeaRh8= =ddVg -----END PGP SIGNATURE-----