[Pkg-javascript-devel] Bug#715325: [oss-security] npm uses predictable temporary filenames when unpacking tarballs
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jul 10 20:04:14 UTC 2013
On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
> hi oss-sec folks--
>
> i recently learned that npm, the node.js language-specific package
> manager, created predictable temporary directory names in a
> world-writable filesystem (/tmp) by default when unpacking archives.
>
> It looks like this might leave open a classic symlink race such that one
> user could control the location where another user unpacked packages
> coming from an npm installation.
>
> if the superuser was the one running npm, this might have led to a
> non-privileged user who wins the race getting a privilege escalation as
> well, depending on the contents of the fetched package.
>
> The issue appears to have been fixed upstream today, here:
>
> https://github.com/isaacs/npm/commit/f4d31693
>
> I first learned about the problem during a related a bug report
> http://bugs.debian.org/715325 (cc'ed here)
sorry, i should also have mentioned that the upstream bug report is:
https://github.com/isaacs/npm/issues/3635
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20130710/c57dbb22/attachment.sig>
More information about the Pkg-javascript-devel
mailing list