Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <51DDBE3E.5050808@fifthhorseman.net>
Date: Wed, 10 Jul 2013 16:04:14 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
CC: 715325@...s.debian.org
Subject: Re: npm uses predictable temporary filenames when
 unpacking tarballs

On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
> hi oss-sec folks--
> 
> i recently learned that npm, the node.js language-specific package
> manager, created predictable temporary directory names in a
> world-writable filesystem (/tmp) by default when unpacking archives.
> 
> It looks like this might leave open a classic symlink race such that one
> user could control the location where another user unpacked packages
> coming from an npm installation.
> 
> if the superuser was the one running npm, this might have led to a
> non-privileged user who wins the race getting a privilege escalation as
> well, depending on the contents of the fetched package.
> 
> The issue appears to have been fixed upstream today, here:
> 
>   https://github.com/isaacs/npm/commit/f4d31693
> 
> I first learned about the problem during a related a bug report
> http://bugs.debian.org/715325 (cc'ed here)

sorry, i should also have mentioned that the upstream bug report is:

https://github.com/isaacs/npm/issues/3635

	--dkg


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.