Date: Thu, 11 Jul 2013 12:05:14 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>, 715325@...s.debian.org Subject: Re: npm uses predictable temporary filenames when unpacking tarballs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/10/2013 02:04 PM, Daniel Kahn Gillmor wrote: > On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote: >> hi oss-sec folks-- >> >> i recently learned that npm, the node.js language-specific >> package manager, created predictable temporary directory names in >> a world-writable filesystem (/tmp) by default when unpacking >> archives. >> >> It looks like this might leave open a classic symlink race such >> that one user could control the location where another user >> unpacked packages coming from an npm installation. >> >> if the superuser was the one running npm, this might have led to >> a non-privileged user who wins the race getting a privilege >> escalation as well, depending on the contents of the fetched >> package. >> >> The issue appears to have been fixed upstream today, here: >> >> https://github.com/isaacs/npm/commit/f4d31693 >> >> I first learned about the problem during a related a bug report >> http://bugs.debian.org/715325 (cc'ed here) > > sorry, i should also have mentioned that the upstream bug report > is: > > https://github.com/isaacs/npm/issues/3635 > > --dkg > Thanks for the link. Please use CVE-2013-4116 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR3vPaAAoJEBYNRVNeJnmT8ZwQAJS140zo7n/dDJnJgpwThcW1 M0INoGUbHuOFYNbeNVG2/k72BxA7vpYCTvdmQBtDaA5hdVl6qWVJMC3IgwlX8Lfk VD3QmOGL4vQNtTYpiT1lugF30NG+Kd2aIVwvCtnqFKgJ4URBisfLjyQjaBldD16+ Jun+64OVNAxHd5xJLIRQ4q8CXOMUA1rnIsIYCcjCEcoRJkmKGelllrsUe/GgyF0X lFa9UmGAsCTUBsXO/iCl3ES9pEtYDlAqltmgvRjuT6wQrtz7rX9I5yKqo6Nt+Pcv d4y6bj+h/qlktPT5lHQ2UacI06OgGjl6u7dubDJv7QGkfmJ0Q2DW95mhlQndlG+Z yNj/k/YIBcRPXhIIqAnEMfWzBNk8RxxAfXxFE3+x2+X2xcnNnC+RW2djATAYmJRF JBjzbDQ0aYa+3Le1H1jx76a5+aCir6jcB0d7iPkRIjRzxZ8+iw48I799CoC5pUPQ w/QUc/OSLTwa9mqPs/t8KBdltmGzmB7RmN5x2it2ub2aWLHvpZi+tAO/1s9jlUh2 NuXF7k0U6nHTI1k8kQkyTrTycrLONiMdEk2ec/4ly1KL01E9cDX2fC5ZTPBvg99U /iFW97bPmQbzoszGOe63DKgemXVYix0FxxYKjb6bb4u+PeU52wV5zJvSyonBGNCW 5OfzVu/yC6SJAMzzdbKl =1P+S -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ