Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Vulnerability in `tar` #2625

Closed
asbjornh opened this issue Apr 11, 2019 · 40 comments

Comments

Projects
None yet
@asbjornh
Copy link

commented Apr 11, 2019

Do not open a PR. We appreciate the enthusiasm but the fix is more complicated than it appears. We're considering our options.

See https://www.npmjs.com/advisories/803

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Caused by node-gyp. I guess this depends on nodejs/node-gyp#1714 being fixed first. As far as I can tell, to fix this node-sass needs to to upgrade to node-gyp@4.x.x once they've resolved the issue on their part.

Output from yarn audit:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > tar                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 16503
Severity: 1 High
@mohsenari

This comment has been minimized.

Copy link

commented Apr 11, 2019

Dealing with the same issue. Tried npm update node-sass --depth 999, npm i tar --save, and npm update tar --depth 999. none of that helped updating tar for node-sass

@mohsenari

This comment has been minimized.

Copy link

commented Apr 11, 2019

Anyone who's looking for a temporary workaround until this gets fixed, I managed to update tar version using izogfif's answer here: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions

You need to remove tar from required section in node-gyp in package-lock.json

Then replace the version in the dependencies section in the same place and remove resolved and integrity properties from tar in dependencies:

"node-gyp": {
		"version": "3.8.0",
		"resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
		"integrity": "sha512-3g8l...",
		"requires": {
			"fstream": "^1.0.0",
			"glob": "^7.0.3",
			"graceful-fs": "^4.1.2",
			"mkdirp": "^0.5.0",
			"nopt": "2 || 3",
			"npmlog": "0 || 1 || 2 || 3 || 4",
			"osenv": "0",
			"request": "^2.87.0",
			"rimraf": "2",
			"semver": "~5.3.0",
			"which": "1"
		},
		"dependencies": {
			"semver": {
				"version": "5.3.0",
				"resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
				"integrity": "sha1-myzl..."
			},
			"tar": {
				"version": "^4.4.2"
			}
		}
},

Then delete your node_modules and run npm i
Test it with npm audit

@meszaros-lajos-gyorgy

This comment has been minimized.

Copy link

commented Apr 11, 2019

node-gyp updated it's tar version to the latest in this commit a few minutes ago, expecting a release soon:
nodejs/node-gyp@1456ef2

@angelocapone

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Same issue for me although I have the 4.4.8 version:
$ npm show tar version
4.4.8

@thealiano

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Same here waiting for a proper fix :)

@JarriddW

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Having same issue, waiting for a fix too :)
current tar version: 4.4.8

@asbjornh

This comment has been minimized.

Copy link
Author

commented Apr 12, 2019

Same issue for me although I have the 4.4.8 version:
$ npm show tar version
4.4.8

You might have several transitive dependencies on multiple versions of tar :)

@angelocapone

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Thank you Asbjørn!

Yeah, looks like I have an "extraneous" 2.2.1 tar version:
$ npm ls tar
cartclient@1.0.0 X:\projects\cartclient
+-- node-sass@4.11.0
| -- node-gyp@3.8.0 | -- UNMET DEPENDENCY tar@^4.4.5
+-- nuxt@2.6.1
| -- @nuxt/builder@2.6.1 | -- chokidar@2.1.5
| -- UNMET OPTIONAL DEPENDENCY fsevents@1.2.7 | -- UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.10.3
| -- UNMET OPTIONAL DEPENDENCY tar@4.4.8 -- tar@2.2.1 extraneous

npm ERR! extraneous: tar@2.2.1 X:\projects\cartclient\node_modules\tar
npm ERR! missing: tar@^4.4.5, required by node-gyp@3.8.0

@JarriddW

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

I'm unsure how many vulnerabilities all of you would have started with, this morning I had 4.
After running npm audit fix, 3/4 of them were fixed with just tar still giving problems.
I can however build and run my apps again for anyone with a similar case.

@HarisSpahija

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Updating the package-lock.json to all use "tar": "4.4.8" worked for me

@JarriddW

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Updating the package-lock.json to all use "tar": "4.4.8" worked for me

did you manage to run an audit with no vulnerabilities?

@osushi-desushi

This comment has been minimized.

Copy link

commented Apr 12, 2019

package-lock.json

"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",


rm -fr node_modules

npm i

npm audit

=== npm audit security report ===

found 0 vulnerabilities
 in 42617 scanned packages
@JarriddW

This comment has been minimized.

Copy link

commented Apr 12, 2019

@osushi-desushi Your solution has worked, no vulnerabilities. Thanks a ton!

@osushi-desushi

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

@JarriddW
Thanks for watching!!

@meszaros-lajos-gyorgy

This comment has been minimized.

Copy link

commented Apr 12, 2019

node-gyp got stuck with their part in updating, since they used tar@3 in their repo and upgrading to 4 broke their code: nodejs/node-gyp#1713 (comment)

@clshortfuse

This comment has been minimized.

Copy link

commented Apr 12, 2019

Watch this space:

nodejs/node-gyp#1718

Once node-gyp 3.8.1 comes out, node-sass can update the dependency.

sfentress added a commit to concord-consortium/geocode that referenced this issue Apr 12, 2019

Update tar dependency
Fixing last high-severity warning, modifying the package-lock file by
hand as per sass/node-sass#2625
@johnDowee

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Anybody who can summarize the steps to follow??

@prathusingh

This comment was marked as off-topic.

Copy link

commented Apr 12, 2019

Not sure what to do?

@clshortfuse

This comment was marked as off-topic.

Copy link

commented Apr 13, 2019

Just a warning by manually installing tar to the new version to solve the vulnerability, you're breaking node-gyp since it currently only supports tar v2. I don't believe node-sass is using tar installs, but if anything else in your package does, you're going to have issues.

This is the commit that will fix node-gyp to support v4, which would allow the vulnerability to be fixed:

nodejs/node-gyp@6e1e425#diff-f6618e1cc731d58106a806b7679a7616R170

ShahanaFarooqui added a commit to ShahanaFarooqui/RTL that referenced this issue Apr 14, 2019

Fix issue #114
Manually removed vulnerability by upgrading 'tar' package from 2.2.1 to 4.4.8 (https://stackoverflow.com/questions/55635378/angular-devkit-build-angular-arbitrary-file-overwrite). angular-devkit and node-sass issues are still open. (angular/angular-cli#14138, sass/node-sass#2625). Will permanently be fixed once above 2 issues are addressed by Angular and node-sass teams.
@lenymo

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

Unfortunately with the CI pipeline I work with, I'm not able to manually change package-lock.json because it is built on the fly and compared with the committed version. If there's a mismatch things break. Would appreciate a release to fix this if possible.

@sass sass deleted a comment from sotayamashita Apr 15, 2019

@nschonni

This comment has been minimized.

Copy link
Contributor

commented Apr 15, 2019

If node-gyp releases a 3.8.1 (or 3.9) there will be no need for a node-sass release as that is in the version range in the package.json already.
Tar is used by node-gyp to download headers for compiling binaries, so this is only an issue if someone gets a malicious tarball on the official nodejs release site and you aren't using our pre-built binaries.

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

Still very unsure which steps to take. Should I do the manual tar update like @mohsenari mentioned? OR what?
Also how temporary is this fix? 😅
Also if what @clshortfuse is saying is true, is this a smart move at all?
Please help.

@HarisSpahija

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

@C-odes

package-lock.json

"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",


rm -fr node_modules

npm i

@invisor

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

package-lock.json

"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",


rm -fr node_modules

npm i

npm audit

=== npm audit security report ===

found 0 vulnerabilities
 in 42617 scanned packages

Not working for me. Every time when I use npm i all changes in package-lock.json are rolling back to the previous version 2.2.1

@HarisSpahija

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

Do you have any other packages that use tar? @invisor

@invisor

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

@HarisSpahija yes, but this package is using tar with version 4.4.8

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

I did it, but while waiting for npm i to finish, I notice that fsevents uses tar version 4.4.1 . Is this an issue?

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

Ok, same thing here. I changed all
tar: {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

to the :
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",

But the node-gyp dependency rolls back its tar version to 2.2.0 after npm install

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

"node-gyp": {
      "version": "3.8.0",
      "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
      "integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
      "requires": {
        "fstream": "^1.0.0",
        "glob": "^7.0.3",
        "graceful-fs": "^4.1.2",
        "mkdirp": "^0.5.0",
        "nopt": "2 || 3",
        "npmlog": "0 || 1 || 2 || 3 || 4",
        "osenv": "0",
        "request": "^2.87.0",
        "rimraf": "2",
        "semver": "~5.3.0",
        "tar": "^2.0.0",
        "which": "1"
      },
      "dependencies": {
        "nopt": {
          "version": "3.0.6",
          "resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
          "integrity": "sha1-xkZdvwirzU2zWTF/eaxopkayj/k=",
          "requires": {
            "abbrev": "1"
          }
        },
        "semver": {
          "version": "5.3.0",
          "resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
          "integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8="
        },
        "tar": {
          "version": "2.2.1",
          "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
          "integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
          "requires": {
            "block-stream": "*",
            "fstream": "^1.0.2",
            "inherits": "2"
          }
        }
      }
    },
@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

see that? It rolled back to 2.2.1 * :(

@invisor

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

@C-odes I have the same behavior

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

I see it I think! Look at the "Required" section under node-gyp. IT says tar: "^2.0.0" . Change this.

@invisor

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

@C-odes nice catch! Now it works

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

Hmmmmm one vulnerability removed, but still one remains. I checked it, seems I keep finding tar": "^2.0.0"..
But I changed it... is it rolling back somehow? The only one that kept going back to "^2.0.0" is in the required field:


    "node-gyp": {
      "version": "3.8.0",
      "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
      "integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
      "requires": {
        "fstream": "^1.0.0",
        "glob": "^7.0.3",
        "graceful-fs": "^4.1.2",
        "mkdirp": "^0.5.0",
        "nopt": "2 || 3",
        "npmlog": "0 || 1 || 2 || 3 || 4",
        "osenv": "0",
        "request": "^2.87.0",
        "rimraf": "2",
        "semver": "~5.3.0",
        "tar": "^4.0.0",
        "which": "1"
      },
      "dependencies": {
        "nopt": {
          "version": "3.0.6",
          "resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
          "integrity": "sha1-xkZdvwirzU2zWTF/eaxopkayj/k=",
          "requires": {
            "abbrev": "1"
          }
        },
        "semver": {
          "version": "5.3.0",
          "resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
          "integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8="
        },
        "tar": {
          "version": "4.4.8",
          "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
          "integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",
          "requires": {
            "chownr": "^1.1.1",
            "fs-minipass": "^1.2.5",
            "minipass": "^2.3.4",
            "minizlib": "^1.1.1",
            "mkdirp": "^0.5.0",
            "safe-buffer": "^5.1.2"
          }
        }
      }
    }

changed it back to "^4.0.0" . gona delete node_modules and npm i AGAIN. Weird..

@C-odes

This comment was marked as off-topic.

Copy link

commented Apr 15, 2019

Update: it keeps resetting to 2.0.0... why? There's no other place with tar varsion 2.0.0

@nschonni

This comment has been minimized.

Copy link
Contributor

commented Apr 15, 2019

Locking the thread, since this is going off topic

@sass sass locked as too heated and limited conversation to collaborators Apr 15, 2019

@nschonni nschonni pinned this issue Apr 23, 2019

@xzyfer

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

For those following along. There's a lot of moving pieces that slowing down resolving this issue.

As stated my @meszaros-lajos-gyorgy in #2625 (comment) the node-gyp are currently blocked from creating a patch because they're using an older version of node-tar to maintain support for older Node versions. Updating node-tar to address this vulnerability would mean breaking support for older versions on Node.

There is a good summary of the node-gyp issue in nodejs/node-gyp#1718 (comment).

The ideal solution would be to patch the version of node-tar being used by node-gyp. There's an issue tracking that request at npm/node-tar#212.

@xzyfer

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2019

Please stop opening PRs. We know node-gyp has a new release. That's not enough for our needs. We appreciate the enthusiasm and we're considering our options.

@xzyfer

This comment has been minimized.

Copy link
Contributor

commented May 15, 2019

A new version of node-tar@2.x has been released with the security patch back ported from 3.x. the security advisory will be updated in the next 24hrs at which npm audit --fix will pass.

npm/node-tar#212 (comment)

@nschonni

This comment has been minimized.

Copy link
Contributor

commented May 15, 2019

Advisory has been updated and npm audit fix should work again

@nschonni nschonni closed this May 15, 2019

CristianDavidCabrera added a commit to CristianDavidCabrera/modulo-front-end-avanzado that referenced this issue May 15, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.