Bug 1190056 – VUL-0: CVE-2021-37712: nodejs4,nodejs12,nodejs8,nodejs10,nodejs14,nodejs6: nodejs-tar - insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite

Bug 1190056 - (CVE-2021-37712) VUL-0: CVE-2021-37712: nodejs4,nodejs12,nodejs8,nodejs10,nodejs14,nodejs6: nodejs-tar - insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite

(CVE-2021-37712)
Summary:	VUL-0: CVE-2021-37712: nodejs4,nodejs12,nodejs8,nodejs10,nodejs14,nodejs6: no...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/308821/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-37712:8.1:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-09-01 10:58 UTC by Robert Frohl
Modified:	2022-01-18 14:38 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-09-01 10:58:26 UTC

rh#1999739

node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

Reference:
https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1999739
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712
https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
https://www.npmjs.com/package/tar

Comment 1 OBSbugzilla Bot 2021-11-10 13:40:27 UTC

This is an autogenerated message for OBS integration:
This bug (1190056) was mentioned in
https://build.opensuse.org/request/show/930657 Factory / nodejs14

Comment 3 Swamp Workflow Management 2021-12-02 17:18:00 UTC

SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.1-6.18.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Swamp Workflow Management 2021-12-06 17:41:21 UTC

SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.7-4.22.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.22.7-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2021-12-06 18:04:22 UTC

openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.7-4.22.1

Comment 6 Swamp Workflow Management 2021-12-07 11:17:00 UTC

openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.1-15.21.2

Comment 7 Swamp Workflow Management 2021-12-07 11:19:14 UTC

SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.1-15.21.2
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.18.1-15.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2021-12-10 14:34:10 UTC

openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.18.1-lp152.17.1

Comment 9 Swamp Workflow Management 2021-12-12 05:19:01 UTC

openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.22.7-lp152.3.21.1

Comment 11 Swamp Workflow Management 2022-01-18 14:38:51 UTC

SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.