Skip to content

node-tar: Fix 6 CVE vulnerabilities (6 HIGH)#4

Open
deepin-ci-robot wants to merge 1 commit intomasterfrom
fix/node-tar-cve-batch-20260417
Open

node-tar: Fix 6 CVE vulnerabilities (6 HIGH)#4
deepin-ci-robot wants to merge 1 commit intomasterfrom
fix/node-tar-cve-batch-20260417

Conversation

@deepin-ci-robot
Copy link
Copy Markdown
Contributor

@deepin-ci-robot deepin-ci-robot commented Apr 16, 2026

Security Update

This PR fixes 6 HIGH severity CVE vulnerabilities in node-tar:

CVEs Fixed

  • CVE-2026-23745: Insufficient Link Path Sanitization (HIGH)
  • CVE-2026-23950: Race Condition in node-tar Path Reservations (HIGH)
  • CVE-2026-29786: Hardlink Path Traversal via Drive-Relative Linkpath (HIGH)
  • CVE-2026-26960: Arbitrary File Read/Write via Hardlink Target Escape (HIGH)
  • CVE-2026-24842: Arbitrary File Read/Overwrite via Hardlink Path Traversal (HIGH)
  • CVE-2026-31802: Symlink Path Traversal via Drive-Relative Linkpath (HIGH)

Changes

  • Added 6 CVE patches from Debian Salsa
  • Updated debian/patches/series
  • Updated debian/changelog
  • Adapted to chownr 3 (named exports)

Patches Source

Upstream

Testing

  • Build verification recommended
  • All patches apply cleanly without offset/fuzz

Generated-By: uos/glm-5.1
Co-Authored-By: hudeng hudeng@deepin.org

@deepin-ci-robot @hudeng-go
node-tar: Fix 6 CVE vulnerabilities (6 HIGH)
631ca54 
Fix the following security vulnerabilities:
- CVE-2026-23745: Insufficient Link Path Sanitization (HIGH)
- CVE-2026-23950: Race Condition in node-tar Path Reservations (HIGH)
- CVE-2026-29786: Hardlink Path Traversal via Drive-Relative Linkpath (HIGH)
- CVE-2026-26960: Arbitrary File Read/Write via Hardlink Target Escape (HIGH)
- CVE-2026-24842: Arbitrary File Read/Overwrite via Hardlink Path Traversal (HIGH)
- CVE-2026-31802: Symlink Path Traversal via Drive-Relative Linkpath (HIGH)

Patches imported from Debian Salsa:
- https://salsa.debian.org/js-team/node-tar

Also includes:
- Adapt to chownr 3 (named exports)
- api-backward-compatibility patch

Upstream: https://github.com/isaacs/node-tar

Generated-By: uos/glm-5.1
Co-Authored-By: hudeng <hudeng@deepin.org>
@deepin-ci-robot deepin-ci-robot requested a review from myml April 16, 2026 18:26
@deepin-ci-robot
Copy link
Copy Markdown
Contributor Author

deepin-ci-robot commented Apr 16, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xzl01 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026

TAG Bot

TAG: 6.2.1+_cs7.0.8-1deepin1
EXISTED: no
DISTRIBUTION: unstable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@myml myml Awaiting requested review from myml

Assignees

No one assigned

Labels

cve generated-by-ai security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@deepin-ci-robot