Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 11 Jul 2013 12:05:14 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>, 715325@...s.debian.org
Subject: Re: npm uses predictable temporary filenames when
 unpacking tarballs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/10/2013 02:04 PM, Daniel Kahn Gillmor wrote:
> On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
>> hi oss-sec folks--
>> 
>> i recently learned that npm, the node.js language-specific
>> package manager, created predictable temporary directory names in
>> a world-writable filesystem (/tmp) by default when unpacking
>> archives.
>> 
>> It looks like this might leave open a classic symlink race such
>> that one user could control the location where another user
>> unpacked packages coming from an npm installation.
>> 
>> if the superuser was the one running npm, this might have led to
>> a non-privileged user who wins the race getting a privilege
>> escalation as well, depending on the contents of the fetched
>> package.
>> 
>> The issue appears to have been fixed upstream today, here:
>> 
>> https://github.com/isaacs/npm/commit/f4d31693
>> 
>> I first learned about the problem during a related a bug report 
>> http://bugs.debian.org/715325 (cc'ed here)
> 
> sorry, i should also have mentioned that the upstream bug report
> is:
> 
> https://github.com/isaacs/npm/issues/3635
> 
> --dkg
> 

Thanks for the link. Please use CVE-2013-4116 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR3vPaAAoJEBYNRVNeJnmT8ZwQAJS140zo7n/dDJnJgpwThcW1
M0INoGUbHuOFYNbeNVG2/k72BxA7vpYCTvdmQBtDaA5hdVl6qWVJMC3IgwlX8Lfk
VD3QmOGL4vQNtTYpiT1lugF30NG+Kd2aIVwvCtnqFKgJ4URBisfLjyQjaBldD16+
Jun+64OVNAxHd5xJLIRQ4q8CXOMUA1rnIsIYCcjCEcoRJkmKGelllrsUe/GgyF0X
lFa9UmGAsCTUBsXO/iCl3ES9pEtYDlAqltmgvRjuT6wQrtz7rX9I5yKqo6Nt+Pcv
d4y6bj+h/qlktPT5lHQ2UacI06OgGjl6u7dubDJv7QGkfmJ0Q2DW95mhlQndlG+Z
yNj/k/YIBcRPXhIIqAnEMfWzBNk8RxxAfXxFE3+x2+X2xcnNnC+RW2djATAYmJRF
JBjzbDQ0aYa+3Le1H1jx76a5+aCir6jcB0d7iPkRIjRzxZ8+iw48I799CoC5pUPQ
w/QUc/OSLTwa9mqPs/t8KBdltmGzmB7RmN5x2it2ub2aWLHvpZi+tAO/1s9jlUh2
NuXF7k0U6nHTI1k8kQkyTrTycrLONiMdEk2ec/4ly1KL01E9cDX2fC5ZTPBvg99U
/iFW97bPmQbzoszGOe63DKgemXVYix0FxxYKjb6bb4u+PeU52wV5zJvSyonBGNCW
5OfzVu/yC6SJAMzzdbKl
=1P+S
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ