Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer over-read vulnerability existing in bl < 4.0.3 #125

Merged
merged 1 commit into from
Sep 9, 2020
Merged

Fix buffer over-read vulnerability existing in bl < 4.0.3 #125

merged 1 commit into from
Sep 9, 2020

Conversation

NicolasCARPi
Copy link
Contributor

@campersau campersau mentioned this pull request Sep 3, 2020
Closed
@wachunei wachunei mentioned this pull request Sep 4, 2020
Closed
@mririgoyen mririgoyen mentioned this pull request Sep 8, 2020
Closed
@mririgoyen
Copy link

+1 to this. Please consider merging to resolve this high-severity vulnerability as soon as you can. Thank you!

@heyfirst
Copy link

heyfirst commented Sep 9, 2020

+1 for this. Please consider to merging this PR.

@mafintosh
Copy link
Owner

As mentioned in the issue the package json semver already installs the fix. Will merge this as well but note this has been fixed as soon as the bl fix was released.

@mafintosh mafintosh merged commit 25e191e into mafintosh:master Sep 9, 2020
@mririgoyen
Copy link

Thanks. Yes, semver would handle this, however because everyone uses lockfiles now, most people are not going to automatically get this unless the know to invalidate their lockfiles, which kind of goes against lockfiles in the first place. 😄

I see this was merged, but an updated version of tar-stream was not published to NPM. Could you bump the patch version and publish to NPM so that your dependencies can get it. archiver uses this, but cannot resolve the issue there until an updated version is published.

Thank you!

@NicolasCARPi NicolasCARPi deleted the vuln branch September 9, 2020 14:11
@mafintosh
Copy link
Owner

If they use a lock file they still need to update it, which would fix it in first place since the semver is already covered.
Made a new patch release as well

@mririgoyen
Copy link

Thank you for the patch, much appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@NicolasCARPi @mririgoyen @heyfirst @mafintosh