New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency tar to v6 [SECURITY] - autoclosed #36

Closed

renovate wants to merge 1 commit into main from renovate/npm-tar-vulnerability

Contributor

renovate bot commented Apr 12, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tar	`^4.4.13` -> `^6.2.1`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-28863

Description:

During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside

Steps To Reproduce:

You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video

Proof Of Concept:

Here's a video show-casing the exploit:

Impact

Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources

Report resources

payload.txt
archeive.tar.gz

Note

This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago

Release Notes

isaacs/node-tar (tar)

`v6.2.1`

`v6.2.0`

`v6.1.15`

`v6.1.14`

`v6.1.13`

Dependencies

cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

`v6.1.12`

Bug Fixes

57493ee #332 ensuring close event is emited after stream has ended (@webark)
b003c64 #314 replace deprecated String.prototype.substr() (#314) (@CommanderRoot, @lukekarrys)

Documentation

f129929 #313 remove dead link to benchmarks (#313) (@yetzt)
c1faa9f add examples/explanation of using tar.t (@isaacs)

`v6.1.11`

`v6.1.10`

`v6.1.9`

`v6.1.8`

`v6.1.7`

`v6.1.6`

`v6.1.5`

`v6.1.4`

`v6.1.3`

`v6.1.2`

`v6.1.1`

Dependencies

cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

`v6.1.0`

`v6.0.5`

`v6.0.4`

`v6.0.3`

`v6.0.2`

`v6.0.1`

`v6.0.0`

`v5.0.11`

`v5.0.10`

`v5.0.9`

`v5.0.8`

`v5.0.7`

`v5.0.6`

`v5.0.5`

`v5.0.4`

`v5.0.2`

`v5.0.1`

`v5.0.0`

`v4.4.19`

`v4.4.18`

`v4.4.17`

`v4.4.16`

`v4.4.15`

`v4.4.14`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions bot commented Apr 12, 2024 •

edited

Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch

goos: linux%0Agoarch: amd64%0Apkg: github.com/nextlinux/gosbom/test/integration%0Acpu: AMD EPYC 7763 64-Core Processor                %0A                                                          │ ./.tmp/benchmark-356380a.txt │%0A                                                          │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-4                                   8.843m ±  1%25%0AImagePackageCatalogers/apkdb-cataloger-4                                    552.9µ ±  1%25%0AImagePackageCatalogers/binary-cataloger-4                                   156.9µ ±  1%25%0AImagePackageCatalogers/dpkgdb-cataloger-4                                   456.6µ ± 21%25%0AImagePackageCatalogers/dotnet-deps-cataloger-4                              972.7µ ±  1%25%0AImagePackageCatalogers/go-module-binary-cataloger-4                         90.69µ ±  1%25%0AImagePackageCatalogers/java-cataloger-4                                     10.44m ±  1%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-4                     92.55µ ±  1%25%0AImagePackageCatalogers/javascript-package-cataloger-4                       335.3µ ±  5%25%0AImagePackageCatalogers/nix-store-cataloger-4                                222.8µ ±  1%25%0AImagePackageCatalogers/php-composer-installed-cataloger-4                   614.3µ ±  1%25%0AImagePackageCatalogers/portage-cataloger-4                                  356.6µ ±  1%25%0AImagePackageCatalogers/python-package-cataloger-4                           2.551m ±  0%25%0AImagePackageCatalogers/r-package-cataloger-4                                167.7µ ±  2%25%0AImagePackageCatalogers/rpm-db-cataloger-4                                   419.1µ ±  1%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-4                             726.2µ ±  2%25%0AImagePackageCatalogers/sbom-cataloger-4                                     88.57µ ±  1%25%0Ageomean                                                                     491.2µ%0A%0A                                                          │ ./.tmp/benchmark-356380a.txt │%0A                                                          │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-4                                   5.132Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-4                                    206.9Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-4                                   30.56Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-4                                   170.0Ki ± 0%25%0AImagePackageCatalogers/dotnet-deps-cataloger-4                              408.3Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-4                         9.909Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-4                                     2.837Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-4                     8.599Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-4                       101.6Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-4                                49.36Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-4                   187.4Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-4                                  120.5Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-4                           1.008Mi ± 0%25%0AImagePackageCatalogers/r-package-cataloger-4                                53.54Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-4                                   181.8Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-4                             144.4Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-4                                     14.26Ki ± 0%25%0Ageomean                                                                     133.4Ki%0A%0A                                                          │ ./.tmp/benchmark-356380a.txt │%0A                                                          │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-4                                    87.75k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-4                                     4.183k ± 0%25%0AImagePackageCatalogers/binary-cataloger-4                                     830.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-4                                    3.001k ± 0%25%0AImagePackageCatalogers/dotnet-deps-cataloger-4                               6.339k ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-4                           281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-4                                      39.88k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-4                       228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-4                        1.405k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-4                                  895.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-4                    4.080k ± 0%25%0AImagePackageCatalogers/portage-cataloger-4                                   2.269k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-4                            16.44k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-4                                  929.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-4                                    3.989k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-4                              2.448k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-4                                       394.0 ± 0%25%0Ageomean                                                                      2.583k

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from e7d65ae to ad2eff1 Compare

April 14, 2024 17:49

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch 2 times, most recently from 463a6ec to 54e5290 Compare

April 21, 2024 17:34

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch 2 times, most recently from e4a6175 to 3dcba36 Compare

April 26, 2024 23:53

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 3dcba36 to 6689095 Compare

April 26, 2024 23:54

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 6689095 to 9b58475 Compare

May 2, 2024 17:17

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 9b58475 to cd294dd Compare

May 2, 2024 17:18

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from cd294dd to 6679a77 Compare

May 10, 2024 05:37

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 6679a77 to e097163 Compare

May 10, 2024 05:37

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from e097163 to fe36d09 Compare

May 23, 2024 05:49

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from fe36d09 to a26ea85 Compare

May 23, 2024 05:50

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from a26ea85 to de22410 Compare

June 5, 2024 17:56

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from de22410 to ccaa3b3 Compare

June 5, 2024 17:57

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from ccaa3b3 to 9a14bd2 Compare

June 19, 2024 17:42

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 9a14bd2 to 7a09262 Compare

June 19, 2024 17:43

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 7a09262 to 2c425ca Compare

June 28, 2024 08:38

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 2c425ca to c560dee Compare

June 28, 2024 08:38

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from c560dee to 63bb7d8 Compare

July 15, 2024 17:52

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 63bb7d8 to 226e034 Compare

July 15, 2024 17:54

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch 2 times, most recently from 0da5d29 to 5f7e441 Compare

July 23, 2024 23:44

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 5f7e441 to 504a716 Compare

July 28, 2024 14:54

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v7 [SECURITY]


          Update dependency tar to v6 [SECURITY]

ea99b88

renovate bot changed the title ~~Update dependency tar to v7 [SECURITY]~~ Update dependency tar to v6 [SECURITY]

renovate bot force-pushed the renovate/npm-tar-vulnerability branch from 504a716 to ea99b88 Compare

July 28, 2024 14:55

renovate bot changed the title ~~Update dependency tar to v6 [SECURITY]~~ Update dependency tar to v6 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-tar-vulnerability branch

August 6, 2024 05:47

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet