Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary File Overwrite in tar - adblock #4075

Closed
jumde opened this issue Apr 11, 2019 · 2 comments · Fixed by #4084 or brave/sync#298
Closed

Arbitrary File Overwrite in tar - adblock #4075

jumde opened this issue Apr 11, 2019 · 2 comments · Fixed by #4084 or brave/sync#298
Assignees
@bsclifton
Labels
QA/No release-notes/exclude security
Milestone
0.65.x - Release ...

Comments

@jumde
Copy link
Contributor

jumde commented Apr 11, 2019 

┌──────────────────────────────────────────────────────────────────────────────┐
14:13:53  │                                Manual Review                                 │
14:13:53  │            Some vulnerabilities require your attention to resolve            │
14:13:53  │                                                                              │
14:13:53  │         Visit https://go.npm.me/audit-guide for additional guidance          │
14:13:53  └──────────────────────────────────────────────────────────────────────────────┘
14:13:53  ┌───────────────┬──────────────────────────────────────────────────────────────┐
14:13:53  │ High          │ Arbitrary File Overwrite                                     │
14:13:53  ├───────────────┼──────────────────────────────────────────────────────────────┤
14:13:53  │ Package       │ tar                                                          │
14:13:53  ├───────────────┼──────────────────────────────────────────────────────────────┤
14:13:53  │ Patched in    │ >=4.4.2                                                      │
14:13:53  ├───────────────┼──────────────────────────────────────────────────────────────┤
14:13:53  │ Dependency of │ node-gyp [dev]                                               │
14:13:53  ├───────────────┼──────────────────────────────────────────────────────────────┤
14:13:53  │ Path          │ node-gyp > tar                                               │
14:13:53  ├───────────────┼──────────────────────────────────────────────────────────────┤
14:13:53  │ More info     │ https://npmjs.com/advisories/803                             │
14:13:53  └───────────────┴──────────────────────────────────────────────────────────────┘
14:13:53  found 1 high severity vulnerability in 631 scanned packages
14:13:53    1 vulnerability requires manual review. See the full report for details.
@jumde jumde added the security label Apr 11, 2019
@bsclifton
Copy link
Member

Temporary fix created here: brave-experiments/ad-block#206
More permanent (when available) fix available here: brave-experiments/ad-block#207

@bsclifton bsclifton self-assigned this Apr 12, 2019
bsclifton added a commit to brave/brave-core that referenced this issue Apr 12, 2019
@bsclifton
Update ad-block dependency to fix npm audit failure
6873478 
Fixes brave/brave-browser#4075
@bsclifton bsclifton mentioned this issue Apr 12, 2019
Closed
19 tasks
@bsclifton bsclifton changed the title Arbitray File Overwrite in tar - adblock Arbitrary File Overwrite in tar - adblock Apr 12, 2019
@bsclifton bsclifton added this to the 0.65.x - Nightly milestone Apr 12, 2019
@rebron
Copy link
Collaborator

rebron commented Apr 12, 2019

Closing. Fixed.

@rebron rebron closed this as completed Apr 12, 2019
bsclifton added a commit that referenced this issue Apr 12, 2019
@bsclifton
Update audit script used by npm run test-security to skip vendor fo…
4ccd506 
…lders which are not actively using node.js (ex: they may use node, but only for tests, etc)

Fixes #4075
@bsclifton bsclifton mentioned this issue Apr 12, 2019
Merged
16 tasks
bsclifton added a commit that referenced this issue Apr 12, 2019
@bsclifton
Update audit script used by npm run test-security to skip vendor fo…
532d647 
…lders which are not actively using node.js (ex: they may use node, but only for tests, etc)

Fixes #4075
bsclifton added a commit to brave/sync that referenced this issue Apr 12, 2019
@bsclifton
Fix vulnerability preventing Desktop from building
ca18133 
Helps fix brave/brave-browser#4075
bsclifton added a commit to brave/sync that referenced this issue Apr 12, 2019
@bsclifton
Fix vulnerability preventing Desktop from building
fced123 
Helps fix brave/brave-browser#4075
@bsclifton bsclifton mentioned this issue Apr 12, 2019
Merged
bsclifton added a commit to brave/sync that referenced this issue Apr 13, 2019
@bsclifton
Fix vulnerability preventing Desktop from building
3091801 
Helps fix brave/brave-browser#4075
@bsclifton bsclifton mentioned this issue Apr 13, 2019
Merged
petemill pushed a commit to brave/brave-core that referenced this issue Jul 27, 2020
@bsclifton
Update audit script used by npm run test-security to skip vendor fo…
97e34a4 
…lders which are not actively using node.js (ex: they may use node, but only for tests, etc)

Fixes brave/brave-browser#4075
petemill pushed a commit to brave/brave-core that referenced this issue Jul 28, 2020
@bsclifton
Update audit script used by npm run test-security to skip vendor fo…
ba30d9d 
…lders which are not actively using node.js (ex: they may use node, but only for tests, etc)

Fixes brave/brave-browser#4075
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsclifton bsclifton

Labels
QA/No release-notes/exclude security
Projects
None yet
Milestone
0.65.x - Release (Release Channel)
3 participants
@jumde @bsclifton @rebron