Update to tar 4.4.2+ (Tar dependency has a vulnerability)

avh4 / binwrap

Distribute binaries via npm

39 stars 17 forks source link

Update to tar 4.4.2+ (Tar dependency has a vulnerability) #23

Closed aptinio closed 5 years ago

aptinio commented 5 years ago

https://npmjs.com/advisories/803

avh4 commented 5 years ago

binwrap is a tool used by package authors, and package authors already have the ability to overwrite arbitrary files on the systems that their package is installed onto. It seems like package authors can avoid the vulnerability by only configuring their package to have binwrap extract trusted tar files. (Though implementing https://github.com/avh4/binwrap/issues/6 would be a good addition in this regard.)

Are there currently any attack vectors that are exploitable here w/r to binwrap?

avh4 commented 5 years ago

Also, a PR upgrading tar is welcome.

aptinio commented 5 years ago

Are there currently any attack vectors that are exploitable here w/r to binwrap?

I'm not sure. I just saw in our project that npm audit reports binwrap as depending on an older version of tar which has a vulnerability.

Also, a PR upgrading tar is welcome.

I'd love to, but npm test is failing. https://gist.github.com/aptinio/949fe3cae88acb9d106ec0cc43b59d15

avh4 commented 5 years ago

I'd love to, but npm test is failing.

You'll probably need to run the same setup that CI does https://github.com/avh4/binwrap/blob/master/.travis.yml#L8:

(cd test_app && npm install ../)   # usually only needs to be done once
npm test

aptinio commented 5 years ago

Thanks for the tip @avh4!