search

kevva / decompress-tar

tar plugin for decompress
MIT License
16 stars 17 forks source link

Please raise tar-stream dependency version #14

Open gjasny opened 4 years ago

gjasny commented 4 years ago

Hello,

could you please raise the tar-stream dependency to latest 2.x version to get rid of the vulnerable bl package (CVE-2020-8244).

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and <2.2.1 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Please also release a new version.

Thanks, Gregor

nickharris commented 4 years ago

@kevva any eta on being able to update the version of tar-stream dependency and publish the fix to npmjs?

gjasny commented 4 years ago

There was a bl 1.2.3 package published. That should match the used semver.

nickharris commented 4 years ago

ah great yep that solves the immediate issue.