[Pkg-javascript-devel] Bug#715325: [oss-security] npm uses predictable temporary filenames when unpacking tarballs
Kurt Seifried
kseifried at redhat.com
Thu Jul 11 18:05:14 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/10/2013 02:04 PM, Daniel Kahn Gillmor wrote:
> On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
>> hi oss-sec folks--
>>
>> i recently learned that npm, the node.js language-specific
>> package manager, created predictable temporary directory names in
>> a world-writable filesystem (/tmp) by default when unpacking
>> archives.
>>
>> It looks like this might leave open a classic symlink race such
>> that one user could control the location where another user
>> unpacked packages coming from an npm installation.
>>
>> if the superuser was the one running npm, this might have led to
>> a non-privileged user who wins the race getting a privilege
>> escalation as well, depending on the contents of the fetched
>> package.
>>
>> The issue appears to have been fixed upstream today, here:
>>
>> https://github.com/isaacs/npm/commit/f4d31693
>>
>> I first learned about the problem during a related a bug report
>> http://bugs.debian.org/715325 (cc'ed here)
>
> sorry, i should also have mentioned that the upstream bug report
> is:
>
> https://github.com/isaacs/npm/issues/3635
>
> --dkg
>
Thanks for the link. Please use CVE-2013-4116 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQIcBAEBAgAGBQJR3vPaAAoJEBYNRVNeJnmT8ZwQAJS140zo7n/dDJnJgpwThcW1
M0INoGUbHuOFYNbeNVG2/k72BxA7vpYCTvdmQBtDaA5hdVl6qWVJMC3IgwlX8Lfk
VD3QmOGL4vQNtTYpiT1lugF30NG+Kd2aIVwvCtnqFKgJ4URBisfLjyQjaBldD16+
Jun+64OVNAxHd5xJLIRQ4q8CXOMUA1rnIsIYCcjCEcoRJkmKGelllrsUe/GgyF0X
lFa9UmGAsCTUBsXO/iCl3ES9pEtYDlAqltmgvRjuT6wQrtz7rX9I5yKqo6Nt+Pcv
d4y6bj+h/qlktPT5lHQ2UacI06OgGjl6u7dubDJv7QGkfmJ0Q2DW95mhlQndlG+Z
yNj/k/YIBcRPXhIIqAnEMfWzBNk8RxxAfXxFE3+x2+X2xcnNnC+RW2djATAYmJRF
JBjzbDQ0aYa+3Le1H1jx76a5+aCir6jcB0d7iPkRIjRzxZ8+iw48I799CoC5pUPQ
w/QUc/OSLTwa9mqPs/t8KBdltmGzmB7RmN5x2it2ub2aWLHvpZi+tAO/1s9jlUh2
NuXF7k0U6nHTI1k8kQkyTrTycrLONiMdEk2ec/4ly1KL01E9cDX2fC5ZTPBvg99U
/iFW97bPmQbzoszGOe63DKgemXVYix0FxxYKjb6bb4u+PeU52wV5zJvSyonBGNCW
5OfzVu/yC6SJAMzzdbKl
=1P+S
-----END PGP SIGNATURE-----
More information about the Pkg-javascript-devel
mailing list