Bug 983917 (CVE-2013-4116)

Summary: CVE-2013-4116 npm: Insecure temporary directory generation
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bgollahe, drieden, jamielinux, tchollingsworth, thrcka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130708,reported=20130710,source=oss-security,cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N,rhscl-1/nodejs010-npm=affected,fedora-all/npm=affected,epel-6/npm=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-23 11:00:09 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 983918, 983919, 983930    
Bug Blocks:    

Description Jan Lieskovsky 2013-07-12 05:34:15 EDT
An insecure temporary directory generation / use flaw was found in the way NPM, Node.js Package Manager, used to generate location of the temporary folder to be used for tarballs expansion. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability to overwrite arbitrary system file reachable with the privileges of the user performing the NPM archive expansion.

References:
[1] http://www.openwall.com/lists/oss-security/2013/07/10/17
[2] http://www.openwall.com/lists/oss-security/2013/07/10/18
[3] http://www.openwall.com/lists/oss-security/2013/07/11/9

Upstream bug report:
[4] https://github.com/isaacs/npm/issues/3635

Relevant upstream patch:
[5] https://github.com/isaacs/npm/commit/f4d31693
Comment 1 Jan Lieskovsky 2013-07-12 05:37:03 EDT
This issue affects the versions of the npm package, as shipped with Fedora release of 18 and 19. Please schedule an update.

--

This issue affects the versions of the npm package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-12 05:38:00 EDT
Created npm tracking bugs for this issue:

Affects: fedora-all [bug 983918]
Affects: epel-6 [bug 983919]
Comment 5 T.C. Hollingsworth 2013-08-01 16:43:40 EDT
This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories.

Leaving this open since it still blocks a private bug.
Comment 6 Jan Lieskovsky 2013-08-02 05:01:46 EDT
(In reply to T.C. Hollingsworth from comment #5)
> This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories.
> 
> Leaving this open since it still blocks a private bug.

Thank you, T.C. To leave this open was correct (the other npm package issue case shipped within Red Hat is in progress still). We will close this bug once the flaw has been corrected in all affected package versions.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Jamie Nguyen 2014-02-23 11:00:09 EST
Private bug has status "CLOSED ERRATA". Therefore I am closing this bug. Please re-open if required.