CVE-2020-12265, There is no fixed version for decompress-tar, how to prove there is no issure for decompress-4.2.1? #98

waltbest2 · 2022-05-16T07:37:39Z

There is no fixed version for decompress-tar, and how to prove there is no issure for decompress-4.2.1?

MikeNitsenko · 2022-06-07T20:11:29Z

@waltbest2 did you find a solution for this?
Thanks!

jeremymeng · 2023-04-17T17:11:19Z

any updates/recommendations?

efojs · 2024-06-03T23:56:44Z

AWS Inspector reports that decompress-tar is vulnerable (linking to https://nvd.nist.gov/vuln/detail/CVE-2020-12265) — was/is the issue in decompress or in decompress-tar?

upd:
looks like in compress (according to fix), so decompress-tar looks false-positive

efojs · 2024-06-04T00:10:19Z

There is no fixed version for decompress-tar

decompress-tar is decompress' dependency, it extracts files, but issue was in paths :

package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system,

how to prove there is no issure for decompress-4.2.1

There are tests in the PR with fix, didn't dive into them, but checking tests can be the way to start.

Provide feedback