Bug 983917 (CVE-2013-4116)
|Summary:||CVE-2013-4116 npm: Insecure temporary directory generation|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||drieden, nobody+bgollahe, tchollingsworth, thrcka|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-02-23 16:00:09 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||983918, 983919, 983930|
Description Jan Lieskovsky 2013-07-12 09:34:15 UTC
An insecure temporary directory generation / use flaw was found in the way NPM, Node.js Package Manager, used to generate location of the temporary folder to be used for tarballs expansion. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability to overwrite arbitrary system file reachable with the privileges of the user performing the NPM archive expansion. References:  http://www.openwall.com/lists/oss-security/2013/07/10/17  http://www.openwall.com/lists/oss-security/2013/07/10/18  http://www.openwall.com/lists/oss-security/2013/07/11/9 Upstream bug report:  https://github.com/isaacs/npm/issues/3635 Relevant upstream patch:  https://github.com/isaacs/npm/commit/f4d31693
Comment 1 Jan Lieskovsky 2013-07-12 09:37:03 UTC
This issue affects the versions of the npm package, as shipped with Fedora release of 18 and 19. Please schedule an update. -- This issue affects the versions of the npm package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-12 09:38:00 UTC
Created npm tracking bugs for this issue: Affects: fedora-all [bug 983918] Affects: epel-6 [bug 983919]
Comment 5 T.C. Hollingsworth 2013-08-01 20:43:40 UTC
This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories. Leaving this open since it still blocks a private bug.
Comment 6 Jan Lieskovsky 2013-08-02 09:01:46 UTC
(In reply to T.C. Hollingsworth from comment #5) > This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories. > > Leaving this open since it still blocks a private bug. Thank you, T.C. To leave this open was correct (the other npm package issue case shipped within Red Hat is in progress still). We will close this bug once the flaw has been corrected in all affected package versions. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Jamie Nguyen 2014-02-23 16:00:09 UTC
Private bug has status "CLOSED ERRATA". Therefore I am closing this bug. Please re-open if required.