Package: node-tar-fs | Debian Sources

Package: node-tar-fs / 3.0.9+~cs2.0.4-2

Metadata

Package	Version	Patches format
node-tar-fs	3.0.9+~cs2.0.4-2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
keep test with tape.patch \| (download)	test/index.js \| 118 51 + 67 - 0 ! 1 file changed, 51 insertions(+), 67 deletions(-)	keep test with tape
CVE 2025 59343.patch \| (download)	index.js \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	expand check tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

Patch

File delta

Description

keep test with tape.patch | (download)

test/index.js | 118 51 + 67 - 0 !
1 file changed, 51 insertions(+), 67 deletions(-)

 keep test with tape

CVE 2025 59343.patch | (download)

index.js | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 expand check
 tar-fs provides filesystem bindings for tar-stream. Versions prior
 to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation
 bypass if the destination directory is predictable with a specific
 tarball. This issue has been patched in version 3.1.1, 2.1.4, and
 1.16.6. A workaround involves using the ignore option on non
 files/directories.