[security][HIGH] tar 1.35: 10 CVE require triage #1

New issue

Closed

opened 2026-05-25 20:44:34 +03:00 by sbelikov · 1 comment

sbelikov commented 2026-05-25 20:44:34 +03:00

Owner

Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

• Package: tar
• Version: 1.35
• EVR: 1.35-1
• Category: -
• Policy class: -
• NiceOS policy class: -
• Owner: -
• Severity: HIGH
• Max CVSS: 8.6
• CVE count: 10
• Included NiceOS statuses: needs_triage
• Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета tar 1.35 найдены CVE-кандидаты по данным NVD/CPE: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for tar 1.35: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Fixed in	Existing issue	Reason
CVE-2021-37701	HIGH	8.6	cpe-range	80	needs_triage			package version is inside version range
CVE-2021-37712	HIGH	8.6	cpe-range	80	needs_triage			package version is inside version range
CVE-2021-37713	HIGH	8.6	cpe-range	80	needs_triage			package version is inside version range
CVE-2026-23745	HIGH	8.2	cpe-range	80	needs_triage			package version is inside version range
CVE-2026-24842	HIGH	8.2	cpe-range	80	needs_triage			package version is inside version range
CVE-2026-29786	HIGH	8.2	cpe-range	80	needs_triage			package version is inside version range
CVE-2026-31802	HIGH	8.2	cpe-range	80	needs_triage			package version is inside version range
CVE-2021-32803	HIGH	8.1	cpe-range	80	needs_triage			package version is inside version range
CVE-2021-32804	HIGH	8.1	cpe-range	80	needs_triage			package version is inside version range
CVE-2026-26960	HIGH	7.1	cpe-range	80	needs_triage			package version is inside version range

Descriptions

CVE-2021-37701

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, follo
...[truncated]

CVE-2021-37712

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subseque
...[truncated]

CVE-2021-37713

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar ha
...[truncated]

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

CVE-2026-24842

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

CVE-2026-29786

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

CVE-2026-31802

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

CVE-2021-32803

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

CVE-2021-32804

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

• Verify whether each CVE applies to the NiceOS build.
• Compare NVD data with upstream/vendor advisory.
• Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
• If affected, decide update/backport strategy according to package policy class.
• Run package-class-specific build, upgrade and regression tests.
• Add/update niceos_cve_triage entry.
• Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2021-32803",
    "CVE-2021-32804",
    "CVE-2021-37701",
    "CVE-2021-37712",
    "CVE-2021-37713",
    "CVE-2026-23745",
    "CVE-2026-24842",
    "CVE-2026-26960",
    "CVE-2026-29786",
    "CVE-2026-31802"
  ],
  "fingerprint": "596b6d2b373ab35e55d2",
  "generated_at": "2026-05-25T17:44:33Z",
  "match_ids": [
    1774,
    1776,
    1777,
    1778,
    1779,
    1780,
    1781,
    1782,
    1783,
    1784
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "tar",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "1.35"
}

<!-- niceos-cve-fingerprint: 596b6d2b373ab35e55d2 --> <!-- niceos-cve-package: tar --> <!-- niceos-cve-cves: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802 --> <!-- niceos-cve-source: niceos_cve_scan_packages_auto_cpe --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `tar` - Version: `1.35` - EVR: `1.35-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `8.6` - CVE count: `10` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета tar 1.35 найдены CVE-кандидаты по данным NVD/CPE: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for tar 1.35: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2021-37701 | HIGH | 8.6 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2021-37712 | HIGH | 8.6 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2021-37713 | HIGH | 8.6 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-23745 | HIGH | 8.2 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-24842 | HIGH | 8.2 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-29786 | HIGH | 8.2 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-31802 | HIGH | 8.2 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2021-32803 | HIGH | 8.1 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2021-32804 | HIGH | 8.1 | cpe-range | 80 | needs_triage | | | package version is inside version range | | CVE-2026-26960 | HIGH | 7.1 | cpe-range | 80 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2021-37701 The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, follo ...[truncated] ### CVE-2021-37712 The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subseque ...[truncated] ### CVE-2021-37713 The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar ha ...[truncated] ### CVE-2026-23745 node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. ### CVE-2026-24842 node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. ### CVE-2026-29786 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. ### CVE-2026-31802 node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11. ### CVE-2021-32803 The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2. ### CVE-2021-32804 The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar. ### CVE-2026-26960 node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2021-32803", "CVE-2021-32804", "CVE-2021-37701", "CVE-2021-37712", "CVE-2021-37713", "CVE-2026-23745", "CVE-2026-24842", "CVE-2026-26960", "CVE-2026-29786", "CVE-2026-31802" ], "fingerprint": "596b6d2b373ab35e55d2", "generated_at": "2026-05-25T17:44:33Z", "match_ids": [ 1774, 1776, 1777, 1778, 1779, 1780, 1781, 1782, 1783, 1784 ], "match_types": [ "cpe-range" ], "package": "tar", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "1.35" } ```

sbelikov added the

security

cve

source-nvd

source-niceos-scan

severity-high

needs-triage

match-cpe-range

auto-analysis

labels 2026-05-25 20:44:34 +03:00

sbelikov commented 2026-05-26 14:52:27 +03:00

Author

Owner

Copy link

CVE resolution / Закрытие CVE

EN

Resolved in NiceOS branch niceos-5.2.
Status: not_affected.
Fixed in EVR: 1.35-1.
CVE: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802.
Source: SPECS/tar.spec.

RU

Исправлено в ветке НАЙС.ОС niceos-5.2.
Статус: not_affected.
Исправлено в EVR: 1.35-1.
CVE: CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802.
Источник: SPECS/tar.spec.

## CVE resolution / Закрытие CVE ### EN Resolved in NiceOS branch `niceos-5.2`. Status: `not_affected`. Fixed in EVR: `1.35-1`. CVE: `CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802`. Source: `SPECS/tar.spec`. ### RU Исправлено в ветке НАЙС.ОС `niceos-5.2`. Статус: `not_affected`. Исправлено в EVR: `1.35-1`. CVE: `CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712, CVE-2021-37713, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802`. Источник: `SPECS/tar.spec`. <!-- niceos-cve-resolution: { "status": "not_affected", "fixed_in_evr": "1.35-1", "cves": [ "CVE-2021-32803", "CVE-2021-32804", "CVE-2021-37701", "CVE-2021-37712", "CVE-2021-37713", "CVE-2026-23745", "CVE-2026-24842", "CVE-2026-26960", "CVE-2026-29786", "CVE-2026-31802" ], "source": "SPECS/tar.spec", "branch": "niceos-5.2" } -->

sbelikov closed this issue 2026-05-26 14:52:27 +03:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

niceos-5.2

No results found.

Labels

Clear labels   

auto-analysis

Created by niceos_cve_create_issues.py

  

cve

Created by niceos_cve_create_issues.py

  

match-cpe-range

Created by niceos_cve_create_issues.py

  

needs-triage

Created by niceos_cve_create_issues.py

  

security

Created by niceos_cve_create_issues.py

  

severity-high

Created by niceos_cve_create_issues.py

  

source-niceos-scan

Created by niceos_cve_create_issues.py

  

source-nvd

Created by niceos_cve_create_issues.py

No labels

auto-analysis

cve

match-cpe-range

needs-triage

security

severity-high

source-niceos-scan

source-nvd

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

rpms/tar#1

No description provided.