tar vulnerability in latest 0.13.0 release exists

tmitra · ‎02-15-2023

Existing release of signalfx-tracing uses "tar" package v4 which has the following vulnerability.

tar package versions before 6.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS). When stripping the trailing slash from files arguments, we were using f.replace(/\\/+$/, \'\'), which can get exponentially slow when f contains many / characters. This is ""unlikely but theoretically possible"" because it requires that the user is passing untrusted input into the tar.extract() or tar.list() array of entries to parse/extract, which would be quite unusual.

As a security first policy in our organization we strive to keep updating to the latest fixes for all vulnerable packages. We are currently blocked because we use signalfx-tracing@latest.

We need signalfx-tracing to update to the latest version of tar and release a package with no other breaking changes in the package. here is more information about the needed package of tar

For more details refer this GitHub link:https://github.com/signalfx/signalfx-nodejs-tracing/issues/97

richgalloway · ‎02-15-2023

Thank you for sharing this, but the community can help with such a problem. Open a support request or go to https://ideas.splunk.com to ask for a fix.

---
If this reply helps you, Karma would be appreciated.

tar vulnerability in latest 0.13.0 release exists

alert action

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life