Fedora Account System
Red Hat Associate
Red Hat Customer
Affected versions of chownr are vulnerable to Time of Check Time of Use (TOCTOU). It does not dereference symbolic links and changes the owner of the link. Upstream bug: https://github.com/isaacs/chownr/issues/14 Upstream patch: https://github.com/simevo/chownr/commit/0307bb7520c856f3e586815959141103ed7590c4 References: https://snyk.io/vuln/npm:chownr:20180731 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985#10
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-18869