Bug 1710570 (CVE-2019-13173) - CVE-2019-13173 nodejs-fstream: File overwrite in fstream.DirWriter() function
Summary: CVE-2019-13173 nodejs-fstream: File overwrite in fstream.DirWriter() function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13173
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1710571 1710572 1726550 1726551 1726552 1840514 1840515
Blocks: 1710573
TreeView+ depends on / blocked
 
Reported: 2019-05-15 19:32 UTC by Pedro Sampaio
Modified: 2021-10-25 09:52 UTC (History)
36 users (show)

Fixed In Version: nodejs-fstream 1.0.12
Clone Of:
Environment:
Last Closed: 2021-10-25 09:52:29 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2019-05-15 19:32:54 UTC 
Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Upstream patch:

https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22

References:

https://www.npmjs.com/advisories/886
Comment 1 Pedro Sampaio 2019-05-15 19:33:25 UTC 
Created nodejs-fstream tracking bugs for this issue:

Affects: epel-all [bug 1710572]
Affects: fedora-all [bug 1710571]
Comment 2 Riccardo Schirone 2019-07-02 14:03:18 UTC 
External References:

https://www.npmjs.com/advisories/886
Comment 7 Jason Shepherd 2019-08-08 05:47:15 UTC 
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
Note You need to log in before you can comment on or make changes to this bug.