Описание
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-tar | not-affected | package |
Примечания
https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph
https://github.com/isaacs/node-tar/pull/446
Introduced with: https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d (v7.5.1)
Fixed by: https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9 (v7.5.2)
EPSS
Связанные уязвимости
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
node-tar has a race condition leading to uninitialized memory exposure
EPSS