Bug 2098556 (CVE-2022-29244)

Summary: CVE-2022-29244 nodejs: npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jhouska, jorton, jstanek, mrunge, nodejs-maint, nodejs-sig, sgallagh, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Node.js 16.15.1, Node.js 17.19.1, Node.js 18.3.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in npm. This security issue occurs because the npm pack ignores root-level ".gitignore" and ".npmignore" file exclusion directives when run in a workspace or with a workspace flag (for example, --workspaces, --workspace=<name>). Anyone who has run 'npm pack' or 'npm publish' inside a workspace has published files into the npm registry they did not intend to include. This flaw exposes sensitive information to an unauthorized user or an attacker.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-28 12:55:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2098559, 2098560, 2098561, 2098563, 2098564, 2098565, 2098566, 2098567, 2098568, 2104752, 2104753, 2104754, 2104755, 2104756, 2124939    
Bug Blocks: 2098557    

Description Avinash Hanwate 2022-06-20 05:54:05 UTC
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.

https://github.com/nodejs/node/pull/43210
https://github.com/nodejs/node/releases/tag/v18.3.0
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/npm/npm-packlist
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/cli/releases/tag/v8.11.0
https://github.com/nodejs/node/releases/tag/v16.15.1

Comment 1 Avinash Hanwate 2022-06-20 06:03:27 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2098559]
Affects: fedora-all [bug 2098563]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098564]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2098560]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098565]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098566]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2098561]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098567]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2098568]

Comment 5 errata-xmlrpc 2022-09-20 12:24:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595

Comment 7 Product Security DevOps Team 2022-11-28 12:55:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29244