Date: Wed, 10 Jul 2013 16:04:14 -0400 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com CC: 715325@...s.debian.org Subject: Re: npm uses predictable temporary filenames when unpacking tarballs On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote: > hi oss-sec folks-- > > i recently learned that npm, the node.js language-specific package > manager, created predictable temporary directory names in a > world-writable filesystem (/tmp) by default when unpacking archives. > > It looks like this might leave open a classic symlink race such that one > user could control the location where another user unpacked packages > coming from an npm installation. > > if the superuser was the one running npm, this might have led to a > non-privileged user who wins the race getting a privilege escalation as > well, depending on the contents of the fetched package. > > The issue appears to have been fixed upstream today, here: > > https://github.com/isaacs/npm/commit/f4d31693 > > I first learned about the problem during a related a bug report > http://bugs.debian.org/715325 (cc'ed here) sorry, i should also have mentioned that the upstream bug report is: https://github.com/isaacs/npm/issues/3635 --dkg [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ