Security issue on dependency of dependency bl (download->decompress->decompress-tar->tar-stream->bl) - CVE-2020-8244

Question

Security issue on dependency of dependency bl (download->decompress->decompress-tar->tar-stream->bl) - CVE-2020-8244

Rammohanemis opened this issue 4 years ago · 4 comments

CVE-2020-8244
high severity
Vulnerable versions: < 2.2.1
Patched version: 2.2.1
A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and <2.2.1 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

Answer 1 · 2020-09-04T09:28:49.000Z

We are also getting this alert:

sonarqube-scanner@2.7.0
└─┬ download@7.1.0
└─┬ decompress@4.2.1
└─┬ decompress-tar@4.1.1
└─┬ tar-stream@1.6.2
└── bl@1.2.2

Answer 2 · 2020-09-04T09:38:39.000Z

believe this is a duplicate of #82

Answer 3 · 2020-09-04T09:56:17.000Z

believe this is a duplicate of #82

i do not think this is duplicate of #82 issue. That for decompress package vulnerability issue in 4.2.0. Even If we updated decompress package with latest still we will face this issue. Because the fix should come from down the line. bl Package is the dependency of dependency (download->decompress->decompress-tar->tar-stream->bl). In tar-stream Package having fixed version of bl package. so the fix start from decompress-tar Package. already someone raised issue(kevva/decompress-tar#14) regarding this in decompress-tar Repo.

Answer 4 · 2022-09-26T14:54:44.000Z

Hi, this should be fixed with the latest release 2.8.2:
https://github.com/bellingard/sonar-scanner-npm/releases/tag/2.8.2