oss-sec mailing list archives
npm uses predictable temporary filenames when unpacking tarballs
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 10 Jul 2013 16:02:13 -0400
hi oss-sec folks-- i recently learned that npm, the node.js language-specific package manager, created predictable temporary directory names in a world-writable filesystem (/tmp) by default when unpacking archives. It looks like this might leave open a classic symlink race such that one user could control the location where another user unpacked packages coming from an npm installation. if the superuser was the one running npm, this might have led to a non-privileged user who wins the race getting a privilege escalation as well, depending on the contents of the fetched package. The issue appears to have been fixed upstream today, here: https://github.com/isaacs/npm/commit/f4d31693 I first learned about the problem during a related a bug report http://bugs.debian.org/715325 (cc'ed here) If you think this needs a CVE, could you assign one please? Regards, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- npm uses predictable temporary filenames when unpacking tarballs Daniel Kahn Gillmor (Jul 10)
- Re: npm uses predictable temporary filenames when unpacking tarballs Daniel Kahn Gillmor (Jul 10)
- Re: npm uses predictable temporary filenames when unpacking tarballs Kurt Seifried (Jul 11)
- Re: npm uses predictable temporary filenames when unpacking tarballs Daniel Kahn Gillmor (Jul 10)