[ Reason ]
node-tar in Bookworm is vulnerable to multiple CVEs.
- CVE-2024-28863: excessive memory consumption
- CVE-2026-23745: sanitize absolute linkpaths properly
(the fix opens CVE-2026-24842 and CVE-2026-31802)
- CVE-2026-26960: do not write linkpaths through symlinks
- CVE-2026-29786: parse root off paths before sanitizing parts
By fixing CVE-2026-23745, it becomes necessary to fix CVE-2026-24842 and
CVE-2026-31802 as well, because the fix introduces the vulnerable code for
these issues:
- CVE-2026-24842: properly sanitize hard links containing '..'
- CVE-2026-31802: prevent escaping symlinks with drive-relative paths
[ Impact ]
The issues are currently fixed in Bullseye and in Trixie. Thus, users of
Bookworm are, and users upgrading to Bookworm become vulnerable to these
issues.
[ Tests ]
All tests are passing.
[ Risks ]
There is the risk of regression. However, tests are passing and the fixes have
been successfully applied and tested in Bullseye and Trixie.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmo75PsACgkQS80FZ8KW
0F3iEhAA2OWEX4qZ9BGLa2gyoMr6XAf+cA4DWG97PL1jmVlabf6/ZkOhVnF6oWbA
Z4+pfKiYsI4uur23lwn4jgU0kEyB0OA6fYOGQf5madlb9O4AyX4D09js2PKPhllv
+PqSx9JYJEHVSWqGaaDSkGjUjYNd0xp3GkZNlPZAc3tj9fQ+JiGitBr5gtwv1bz8
bitozUS2k5aAnzTWZYfnObG6MvoleQaDxzW2y5dNs5xve0A72Ahc5K0UCuwbl/l9
rCiLMvDym0jjLhI0DNDtd1lBETQrArXZ/qwE/onnMKz+T4eY5XBtKXYfleQ3bSwz
qfoC/VPYbVkx7GzemZ0XaYCd8Vdv4hcasboF18qokGFVdNCLXXe+qbrDctwtaC8D
iBFFhJ2d0JP4Qyk2N1yDudzn3BXZYuXH8fyocc8b0IF8/R1249CEajas4bHYHM12
QOg7QE/vrlqMOPHeugkrYKbrpSHnwYbl+yvNyjgPcX2uKRd/3G1F0vvvRnr9Cdc8
4GacH84J5bJPExjtwEaAn7UxtovFIAER8LbXs90deB7eNjDWiBNk66v3PQRgDq+X
6CCzymP0w/tZ/yAwgN6aI3XSx1x/jZNHX+u+m9AoX2hynRV+KLa1XIwzsOoNo7LJ
VGWinuff6RL+2iHFa5L+GBjAtu1D42h4tvgfXmGM7nR6Wythj+w=
=yC0W
-----END PGP SIGNATURE-----