Bug 1190055 - (CVE-2021-37713) VUL-0: CVE-2021-37713: nodejs12,nodejs6,nodejs8,nodejs14,nodejs10,nodejs4: The npm package "tar" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability
(CVE-2021-37713)
VUL-0: CVE-2021-37713: nodejs12,nodejs6,nodejs8,nodejs14,nodejs10,nodejs4: Th...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/308835/
CVSSv3.1:SUSE:CVE-2021-37713:8.2:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-01 10:57 UTC by Robert Frohl
Modified: 2022-01-18 14:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-09-01 10:57:05 UTC
CVE-2021-37713

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9
has an arbitrary file creation/overwrite and arbitrary code execution
vulnerability. node-tar aims to guarantee that any file whose location would be
outside of the extraction target directory is not extracted. This is, in part,
accomplished by sanitizing absolute paths of entries within the archive,
skipping archive entries that contain `..` path portions, and resolving the
sanitized paths against the extraction target directory. This logic was
insufficient on Windows systems when extracting tar files that contained a path
that was not an absolute path, but specified a drive letter different from the
extraction target, such as `C:some\path`. If the drive letter does not match the
extraction target, for example `D:\extraction\dir`, then the result of
`path.resolve(extractionDirectory, entryPath)` would resolve against the current
working directory on the `C:` drive, rather than the extraction target
directory. Additionally, a `..` portion of the path could occur immediately
after the drive letter, such as `C:../foo`, and was not properly sanitized by
the logic that checked for `..` within the normalized and split portions of the
path. This only affects users of `node-tar` on Windows systems. These issues
were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar
has been deprecated and did not receive patches for these issues. If you are
still using a v3 release we recommend you update to a more recent version of
node-tar. There is no reasonable way to work around this issue without
performing the same path normalization procedures that node-tar now does. Users
are encouraged to upgrade to the latest patched versions of node-tar, rather
than attempt to sanitize paths themselves.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37713
https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
https://www.npmjs.com/package/tar
Comment 1 OBSbugzilla Bot 2021-11-10 13:40:22 UTC
This is an autogenerated message for OBS integration:
This bug (1190055) was mentioned in
https://build.opensuse.org/request/show/930657 Factory / nodejs14
Comment 3 Swamp Workflow Management 2021-12-02 17:17:53 UTC
SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.1-6.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2021-12-06 17:41:13 UTC
SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.7-4.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.7-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-06 18:04:14 UTC
openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.7-4.22.1
Comment 6 Swamp Workflow Management 2021-12-07 11:16:53 UTC
openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.1-15.21.2
Comment 7 Swamp Workflow Management 2021-12-07 11:19:06 UTC
SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.1-15.21.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.18.1-15.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-12-10 14:34:03 UTC
openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.18.1-lp152.17.1
Comment 9 Swamp Workflow Management 2021-12-12 05:18:54 UTC
openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.7-lp152.3.21.1
Comment 11 Swamp Workflow Management 2022-01-18 14:38:46 UTC
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.