Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please raise tar-stream dependency version #14

Open
gjasny opened this issue Sep 2, 2020 · 3 comments
Open

Please raise tar-stream dependency version #14

gjasny opened this issue Sep 2, 2020 · 3 comments

Comments

@gjasny
Copy link

gjasny commented Sep 2, 2020

Hello,

could you please raise the tar-stream dependency to latest 2.x version to get rid of the vulnerable bl package (CVE-2020-8244).

A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and <2.2.1 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Please also release a new version.

Thanks,
Gregor
@Rammohanemis Rammohanemis mentioned this issue Sep 4, 2020
Closed
@hborders hborders mentioned this issue Sep 8, 2020
Open
@nickharris
Copy link

nickharris commented Sep 11, 2020
edited
Loading

@kevva any eta on being able to update the version of tar-stream dependency and publish the fix to npmjs?

@gjasny
Copy link
Author

gjasny commented Sep 11, 2020

There was a bl 1.2.3 package published. That should match the used semver.

@nickharris
Copy link

nickharris commented Sep 11, 2020
edited
Loading

ah great yep that solves the immediate issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gjasny @nickharris