Bug 983917 - (CVE-2013-4116) CVE-2013-4116 npm: Insecure temporary directory generation
CVE-2013-4116 npm: Insecure temporary directory generation
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130708,reported=2...
: Security
Depends On: 983918 983919 983930
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-12 05:34 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:08 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-23 11:00:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-07-12 05:34:15 EDT
An insecure temporary directory generation / use flaw was found in the way NPM, Node.js Package Manager, used to generate location of the temporary folder to be used for tarballs expansion. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability to overwrite arbitrary system file reachable with the privileges of the user performing the NPM archive expansion.

References:
[1] http://www.openwall.com/lists/oss-security/2013/07/10/17
[2] http://www.openwall.com/lists/oss-security/2013/07/10/18
[3] http://www.openwall.com/lists/oss-security/2013/07/11/9

Upstream bug report:
[4] https://github.com/isaacs/npm/issues/3635

Relevant upstream patch:
[5] https://github.com/isaacs/npm/commit/f4d31693
Comment 1 Jan Lieskovsky 2013-07-12 05:37:03 EDT
This issue affects the versions of the npm package, as shipped with Fedora release of 18 and 19. Please schedule an update.

--

This issue affects the versions of the npm package, as shipped with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-12 05:38:00 EDT
Created npm tracking bugs for this issue:

Affects: fedora-all [bug 983918]
Affects: epel-6 [bug 983919]
Comment 5 T.C. Hollingsworth 2013-08-01 16:43:40 EDT
This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories.

Leaving this open since it still blocks a private bug.
Comment 6 Jan Lieskovsky 2013-08-02 05:01:46 EDT
(In reply to T.C. Hollingsworth from comment #5)
> This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories.
> 
> Leaving this open since it still blocks a private bug.

Thank you, T.C. To leave this open was correct (the other npm package issue case shipped within Red Hat is in progress still). We will close this bug once the flaw has been corrected in all affected package versions.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Jamie Nguyen 2014-02-23 11:00:09 EST
Private bug has status "CLOSED ERRATA". Therefore I am closing this bug. Please re-open if required.

Note You need to log in before you can comment on or make changes to this bug.