Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A vulnerable version of tar is used #1714

Closed
stof opened this issue Apr 8, 2019 · 13 comments
Closed

A vulnerable version of tar is used #1714

stof opened this issue Apr 8, 2019 · 13 comments

Comments

@stof
Copy link

stof commented Apr 8, 2019

See https://www.npmjs.com/advisories/803

@iwaduarte
Copy link

What to expect from here? Are we going to have an update? Response? Anything?

@stof
Copy link
Author

stof commented Apr 11, 2019

Well, I hope that node-gyp could migrate to tar v4.4.2+ (or could convince the tar maintainers to backport the fix to a 3.x release if that's infeasible).
I don't know the node-gyp codebase (I'm not even using it directly. I'm an indirect user through node-sass) so I'm not confident providing a patch myself. But as the advisory is now public, I wanted to raise awareness that node-gyp is impacted. The discussion in the hackerone report mentioned that some popular app (probably unpkg.com based on some later comments) were impacted and should be patched before making it public. It's too bad that node-gyp was not identified for that as well.

@stof
Copy link
Author

stof commented Apr 11, 2019

It looks like #1713 is working on it

@refack
Copy link
Contributor

refack commented Apr 11, 2019

Fixed by #1713

@refack refack closed this as completed Apr 11, 2019
@laurenfrederick
Copy link

@refack Are you going to do a release with this update? Thanks!

@refack
Copy link
Contributor

refack commented Apr 12, 2019

Refs: #1718
The @nodejs/node-gyp team needs to make an explicit decision to drop support for node<4 for the node-gyp@3 branch. Other wise this will need to wait for node-gyp@4 (which should be out soon. Hopefully in parallel to node@12)...

@stof
Copy link
Author

stof commented Apr 12, 2019

well, waiting for node-gyp@4 would mean that the non-vulnerable version would reach out the ecosystem only after each package migrate as well, which would take a huge amount of time (and they would still have to drop 0.10 and 0.12 to get the patch anyway).

@pwnpsasin
Copy link

Why the current version 3.8.0 (npjs.org) still uses the package of tar in the version 2.0.0 instead of 4.4.2?

@stof
Copy link
Author

stof commented Apr 17, 2019

@pwnpsasin see the comment above. Upgrading tar requires dropping support for node<4 (as tar dropped it in 3.x) and that requires a decision from the team.

@ChALkeR
Copy link
Member

ChALkeR commented Apr 24, 2019

@stof The way to address this in a way that would not require semver-major bumps of everything is isaacs/node-tar#212 (i.e. backport the security patch/patches to node-tar@2). They are willing to accept a backported patch and cut a release in case if anyone is willing to do the backporting work.

@gpkoltermann
Copy link

@stof Why don't you create a new major version with updated tar, and when (if ever as I see the comments there) node-tar backport will be created, release a fix for the older version? Lots of people is waiting for this update and our security guys are pinging us every day.

@stof
Copy link
Author

stof commented May 6, 2019

@gpkoltermann I'm not creating versions because I'm not a maintainer at all here.

@sam-github
Copy link
Contributor

https://github.com/nodejs/node-gyp/releases/tag/v4.0.0 has been released, it doesn't depend on the version of node-tar causing audit warnings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants