Description
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 npm | | | 7.5.16 |
 debian 11 | | =6.0.5+ds1+~cs11.3.9-1 || =6.0.5+ds1+~cs11.3.9-1+deb11u1 || =6.0.5+ds1+~cs11.3.9-1+deb11u2 || =6.0.5+ds1+~cs11.3.9-1+deb11u3 || =6.1.0+ds1+~cs11.3.9-1 || =6.1.11+ds1+~cs6.0.6-1 || =6.1.11+ds1+~cs6.0.6-2 || =6.1.11+~cs11.2.13-1~bpo11+1 || =6.1.11+~cs11.3.10-1 || =6.1.11+~cs11.3.10-1~bpo11+1 || =6.1.12+~cs6.1.5-1 || =6.1.13+~cs7.0.5-1 || =6.1.13+~cs7.0.5-2 || =6.1.13+~cs7.0.5-3 || =6.1.13+~cs7.0.5-4 || =6.1.7+~cs11.3.10-1 || =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-10 || =6.2.1+ds1+~cs6.1.13-11 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+ds1+~cs6.1.13-8 || =6.2.1+ds1+~cs6.1.13-9 || =6.2.1+~cs7.0.8-1 | - |
debian 12 | | =6.1.13+~cs7.0.5-1 || =6.1.13+~cs7.0.5-2 || =6.1.13+~cs7.0.5-3 || =6.1.13+~cs7.0.5-4 || =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-10 || =6.2.1+ds1+~cs6.1.13-11 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+ds1+~cs6.1.13-8 || =6.2.1+ds1+~cs6.1.13-9 || =6.2.1+~cs7.0.8-1 | - |
debian 13 | | =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-10 || =6.2.1+ds1+~cs6.1.13-11 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+ds1+~cs6.1.13-8 || =6.2.1+ds1+~cs6.1.13-9 || =6.2.1+~cs7.0.8-1 || =6.2.1+~cs7.0.8-1+deb13u1 | - |
debian 14 | | =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-10 || =6.2.1+ds1+~cs6.1.13-11 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+ds1+~cs6.1.13-8 || =6.2.1+ds1+~cs6.1.13-9 || =6.2.1+~cs7.0.8-1 | - |
