#1140683 bookworm-pu: package node-tar/6.1.13+~cs7.0.5-1+deb12u1

#1140683#5
Date:
2026-06-24 14:08:59 UTC
From:
To:
[ Reason ]

node-tar in Bookworm is vulnerable to multiple CVEs.

  - CVE-2024-28863: excessive memory consumption
  - CVE-2026-23745: sanitize absolute linkpaths properly
    (the fix opens CVE-2026-24842 and CVE-2026-31802)
  - CVE-2026-26960: do not write linkpaths through symlinks
  - CVE-2026-29786: parse root off paths before sanitizing parts

By fixing CVE-2026-23745, it becomes necessary to fix CVE-2026-24842 and
CVE-2026-31802 as well, because the fix introduces the vulnerable code for
these issues:

  - CVE-2026-24842: properly sanitize hard links containing '..'
  - CVE-2026-31802: prevent escaping symlinks with drive-relative paths

[ Impact ]

The issues are currently fixed in Bullseye and in Trixie. Thus, users of
Bookworm are, and users upgrading to Bookworm become vulnerable to these
issues.

[ Tests ]

All tests are passing.

[ Risks ]

There is the risk of regression. However, tests are passing and the fixes have
been successfully applied and tested in Bullseye and Trixie.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmo75PsACgkQS80FZ8KW
0F3iEhAA2OWEX4qZ9BGLa2gyoMr6XAf+cA4DWG97PL1jmVlabf6/ZkOhVnF6oWbA
Z4+pfKiYsI4uur23lwn4jgU0kEyB0OA6fYOGQf5madlb9O4AyX4D09js2PKPhllv
+PqSx9JYJEHVSWqGaaDSkGjUjYNd0xp3GkZNlPZAc3tj9fQ+JiGitBr5gtwv1bz8
bitozUS2k5aAnzTWZYfnObG6MvoleQaDxzW2y5dNs5xve0A72Ahc5K0UCuwbl/l9
rCiLMvDym0jjLhI0DNDtd1lBETQrArXZ/qwE/onnMKz+T4eY5XBtKXYfleQ3bSwz
qfoC/VPYbVkx7GzemZ0XaYCd8Vdv4hcasboF18qokGFVdNCLXXe+qbrDctwtaC8D
iBFFhJ2d0JP4Qyk2N1yDudzn3BXZYuXH8fyocc8b0IF8/R1249CEajas4bHYHM12
QOg7QE/vrlqMOPHeugkrYKbrpSHnwYbl+yvNyjgPcX2uKRd/3G1F0vvvRnr9Cdc8
4GacH84J5bJPExjtwEaAn7UxtovFIAER8LbXs90deB7eNjDWiBNk66v3PQRgDq+X
6CCzymP0w/tZ/yAwgN6aI3XSx1x/jZNHX+u+m9AoX2hynRV+KLa1XIwzsOoNo7LJ
VGWinuff6RL+2iHFa5L+GBjAtu1D42h4tvgfXmGM7nR6Wythj+w=
=yC0W
-----END PGP SIGNATURE-----

#1140683#12
Date:
2026-06-24 14:18:53 UTC
From:
To:
Hi,

Just one comment below:

While this is true from a areleased version point of view we never
introduce the issue for bookworm, so form security-tracker point
ofview the not-affected state will not change. But it is good you
mention the little bit more complicated situation here.

Ideally the stable update listing the CVE should not mention those two
CVEs as been fixed as they were never present in first place for
bookworm.

Just clarifying how we would track this situation in the
security-tracker.

Regards,
Salvatore

#1140683#17
Date:
2026-06-30 05:51:59 UTC
From:
To:
Control: tags -1 + confirmed

Please go ahead.

Regards,

Adam