[Pkg-javascript-devel] Bug#715325: Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jul 8 12:47:23 UTC 2013
On 07/08/2013 08:36 AM, Jérémy Lal wrote:
> I still do not understand if this is really a security issue.
> IMO if a program on your system does that, the whole system is compromised,
> you can't really be hardening any software against it.
what we're talking about is a classic symlink attack. I haven't tried
to verify it with npm myself, but using predictable tmpfile names in
world-writable directories is the usual gateway to a vulnerability here.
> If you disagree, do you mind if we move this discussion to upstream
> [nodejs] discussion group ? We'll probably find some enlightment there.
I'm not on the upstream nodejs discussion group, but if you want to cc
me on discussion there, i'd be happy to chime in.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20130708/2c55c6c0/attachment.sig>
More information about the Pkg-javascript-devel
mailing list