[Pkg-javascript-devel] Bug#715325: npm uses predictable temporary filenames when unpacking tarballs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jul 10 20:02:13 UTC 2013
hi oss-sec folks--
i recently learned that npm, the node.js language-specific package
manager, created predictable temporary directory names in a
world-writable filesystem (/tmp) by default when unpacking archives.
It looks like this might leave open a classic symlink race such that one
user could control the location where another user unpacked packages
coming from an npm installation.
if the superuser was the one running npm, this might have led to a
non-privileged user who wins the race getting a privilege escalation as
well, depending on the contents of the fetched package.
The issue appears to have been fixed upstream today, here:
https://github.com/isaacs/npm/commit/f4d31693
I first learned about the problem during a related a bug report
http://bugs.debian.org/715325 (cc'ed here)
If you think this needs a CVE, could you assign one please?
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20130710/fd13a6db/attachment.sig>
More information about the Pkg-javascript-devel
mailing list