Affected versions of chownr are vulnerable to Time of Check Time of Use (TOCTOU). It does not dereference symbolic links and changes the owner of the link. Upstream bug: https://github.com/isaacs/chownr/issues/14 Upstream patch: https://github.com/simevo/chownr/commit/0307bb7520c856f3e586815959141103ed7590c4 References: https://snyk.io/vuln/npm:chownr:20180731 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985#10
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-18869