Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Jul 2013 16:04:14 -0400
From: Daniel Kahn Gillmor <>
Subject: Re: npm uses predictable temporary filenames when
 unpacking tarballs

On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
> hi oss-sec folks--
> i recently learned that npm, the node.js language-specific package
> manager, created predictable temporary directory names in a
> world-writable filesystem (/tmp) by default when unpacking archives.
> It looks like this might leave open a classic symlink race such that one
> user could control the location where another user unpacked packages
> coming from an npm installation.
> if the superuser was the one running npm, this might have led to a
> non-privileged user who wins the race getting a privilege escalation as
> well, depending on the contents of the fetched package.
> The issue appears to have been fixed upstream today, here:
> I first learned about the problem during a related a bug report
> (cc'ed here)

sorry, i should also have mentioned that the upstream bug report is:


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ