Closed aptinio closed 5 years ago
binwrap is a tool used by package authors, and package authors already have the ability to overwrite arbitrary files on the systems that their package is installed onto. It seems like package authors can avoid the vulnerability by only configuring their package to have binwrap extract trusted tar files. (Though implementing https://github.com/avh4/binwrap/issues/6 would be a good addition in this regard.)
Are there currently any attack vectors that are exploitable here w/r to binwrap?
Also, a PR upgrading tar is welcome.
Are there currently any attack vectors that are exploitable here w/r to binwrap?
I'm not sure. I just saw in our project that npm audit
reports binwrap
as depending on an older version of tar
which has a vulnerability.
Also, a PR upgrading tar is welcome.
I'd love to, but npm test
is failing.
https://gist.github.com/aptinio/949fe3cae88acb9d106ec0cc43b59d15
I'd love to, but npm test is failing.
You'll probably need to run the same setup that CI does https://github.com/avh4/binwrap/blob/master/.travis.yml#L8:
(cd test_app && npm install ../) # usually only needs to be done once
npm test
Thanks for the tip @avh4!
https://npmjs.com/advisories/803