-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Apr 2026 05:44:08 +0200 Source: node-tar Architecture: source Version: 6.0.5+ds1+~cs11.3.9-1+deb11u3 Distribution: bullseye-security Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Daniel Leidert <dleidert@debian.org> Changes: node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u3) bullseye-security; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2024-28863.patch: Add patch to fix CVE-2024-28863. - Generating a large number of sub-folders can consume memory on the system and even crash the Node.js client within a few seconds using a path with too many sub-folders inside. * d/patches/CVE-2026-23745.patch: Add patch to fix CVE-2026-23745. - When preservePaths is false, the linkpath of Link (hardlink) and SymbolicLink entries fail to be sanitized, allowing malicious archives to bypass the extraction root restriction, leading to arbitrary file overwrites via hardlinks and symlink poisoning via absolute symlink targets. * d/patches/CVE-2026-23745-regression-fix.patch: Add patch to fix a regression introduced by the fix for CVE-2026-23745. - The fix for CVE-2026-23745 introduces a regression that prevents unpacking archives with valid linkpaths within the archive. * d/patches/CVE-2026-24842.patch: Add patch to fix CVE-2026-24842. - The security check for hardlink entries allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. * d/patches/CVE-2026-26960-1.patch, d/patches/CVE-2026-26960-2.patch: Add patch to fix CVE-2026-26960. - An attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. * d/patches/CVE-2026-29786.patch: Add patch to fix CVE-2026-29786. - An attacker-controlled archive can create a hardlink that points outside the extraction directory by using a drive-relative link target. * d/patches/CVE-2026-31802.patch: Add patch to fix CVE-2026-31802. - An attacker-controlled archive can create a hardlink that points outside the extraction directory by using a drive-relative link target. * d/tests/control: Allow stderr to ignore npm warnings. Checksums-Sha1: 7c88dccd4b15cc965f0519207c9849fe1fd95e81 3602 node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3.dsc 24db077a0a6c3c707c576aa218cc18adef0d34ac 35270 node-tar_6.0.5+ds1+~cs11.3.9.orig-fs-minipass.tar.gz 601a95c4cb1d2976072c1720338de85757fc7a74 50240 node-tar_6.0.5+ds1+~cs11.3.9.orig-minipass.tar.gz 516fc8a8b9661b375ecb00113f1c6165dd43b623 186712 node-tar_6.0.5+ds1+~cs11.3.9.orig-minizlib.tar.gz d680de60855e7778a51c672b755869a3b8d2889f 6436 node-tar_6.0.5+ds1+~cs11.3.9.orig-types-tar.tar.gz 4584c124b9210e4e1db8dca5ec1a48da8ffd9c93 190376 node-tar_6.0.5+ds1+~cs11.3.9.orig.tar.gz 359e454d993b427d5af0c25d8479ac2b0b63a349 24168 node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3.debian.tar.xz a489ee8f77abf1da3f9b38b9b564640b9f4f0a5c 9603 node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3_amd64.buildinfo Checksums-Sha256: 592000ab7701e6c6cead5072f3e0c9f07246a4167667b37590796907dc65c6d6 3602 node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3.dsc 83cf7dc113dacdbe3a2d05753edde01c37256cc97167ea5a8086ab85a78f2efd 35270 node-tar_6.0.5+ds1+~cs11.3.9.orig-fs-minipass.tar.gz 496598d78b824ddb3116c4a4fe0123516b318eab820d0ee80cb892ef3ba0c4c9 50240 node-tar_6.0.5+ds1+~cs11.3.9.orig-minipass.tar.gz 296f5e559312e7a4dd871e1cdad27d50d9d0518a548ae870dffb678ff2ecae7e 186712 node-tar_6.0.5+ds1+~cs11.3.9.orig-minizlib.tar.gz e59a412960136fd1b0a303a7284d849eec4de7658627083058c9caf1ebb28d03 6436 node-tar_6.0.5+ds1+~cs11.3.9.orig-types-tar.tar.gz 042ca18da6d5dfc2c41aa0169abac8ae70497fb5b340c8fe5b71aa47705606d9 190376 node-tar_6.0.5+ds1+~cs11.3.9.orig.tar.gz a81b1df093cc631f02250576be3ef7e80fc25a998a61a927fed4281e9b9057a5 24168 node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3.debian.tar.xz d1d1e379c937135b87cfea8a8c31efa2c0627ac4b44d2f942943a869cc1216ad 9603 node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3_amd64.buildinfo Files: 6a2caa86a96ea0d6f1a2f6634f8c992d 3602 javascript optional node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3.dsc 4885211b9cf2f530a54e6a725cc9556f 35270 javascript optional node-tar_6.0.5+ds1+~cs11.3.9.orig-fs-minipass.tar.gz b49657e3714f92ab73a7deb5aca36f53 50240 javascript optional node-tar_6.0.5+ds1+~cs11.3.9.orig-minipass.tar.gz 389dc4b3f49e5c28a485f2243aa021c6 186712 javascript optional node-tar_6.0.5+ds1+~cs11.3.9.orig-minizlib.tar.gz 50edb82b89a507117b023acd19c4ba44 6436 javascript optional node-tar_6.0.5+ds1+~cs11.3.9.orig-types-tar.tar.gz 9bab2016cc7ba17b4cf688ce8910bde2 190376 javascript optional node-tar_6.0.5+ds1+~cs11.3.9.orig.tar.gz a5e05a8d09a3cbac6a11af7f1f4bad7d 24168 javascript optional node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3.debian.tar.xz 9c70b4eab35e40d4fc400bc11f415036 9603 javascript optional node-tar_6.0.5+ds1+~cs11.3.9-1+deb11u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmnxWJQACgkQS80FZ8KW 0F04iw/7BLllq7Oa1IQBXA+cZg51GyKXR6/XOEO3ttiC4fDZmvM7Npa9Y2ZLLQo0 gpBikJMm2PBnAD5eR75SqIN0pLpyMms0c7c8UOhpz3+heZb7NheZZDbAx//naWiB rw+7qW51+qbDHEPOxa8/Afs3y5O7sfbpyEd5kd/6rSRIwM49Gi0ST2yzfaeKHkr1 MowqI3cjpf/YQzyiZr8Z0BS9gkla3Rv2sBKDChjSmnEzcJMLEKId5bduwhnf5b8p dc2BeFTe6YE9cVyHtbYtRrnSuVA7U75ogsjZsRASBZi24IDDOCm0HjQ/xWOOY5zv 7AMFalgxgrgmecbCSqMvheLngTjh4v5dU9K0ng9VmqyScj/PUE+We/dg6tdeQ7Ss RwvZA+GtUwS/ZQ4BEiVBjjml01244p5niEyNEwrIljPL1nzBEVM87JweFrwsUu43 xsTH/Gl2QwQkW/ih7TMBS9Y2ggrq42U0tfDqLwExdl/28Ft70b9rcyNKHG+8xZQN QAJsSGli9yAv15Sn6YAea/Od6HTejfZR+ulPx/EbwjHb3Em5DEgbpehC26u4evQ6 5KsSNbXqgKDh3IZV3WRciUzHLd5VYA2VNOFzNk9UHr/6H6uRPcaIy63B1aQ43k2C Ks60k6582fNUl1DFrR6iEjLqvzoYqRNdRaLSg0nAuqYWogNqGGU= =/GFy -----END PGP SIGNATURE-----
