An insecure temporary directory generation / use flaw was found in the way NPM, Node.js Package Manager, used to generate location of the temporary folder to be used for tarballs expansion. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability to overwrite arbitrary system file reachable with the privileges of the user performing the NPM archive expansion. References: [1] http://www.openwall.com/lists/oss-security/2013/07/10/17 [2] http://www.openwall.com/lists/oss-security/2013/07/10/18 [3] http://www.openwall.com/lists/oss-security/2013/07/11/9 Upstream bug report: [4] https://github.com/isaacs/npm/issues/3635 Relevant upstream patch: [5] https://github.com/isaacs/npm/commit/f4d31693
This issue affects the versions of the npm package, as shipped with Fedora release of 18 and 19. Please schedule an update. -- This issue affects the versions of the npm package, as shipped with Fedora EPEL-6. Please schedule an update.
Created npm tracking bugs for this issue: Affects: fedora-all [bug 983918] Affects: epel-6 [bug 983919]
This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories. Leaving this open since it still blocks a private bug.
(In reply to T.C. Hollingsworth from comment #5) > This is now fixed in Fedora 18, 19, and EPEL 6 stable repositories. > > Leaving this open since it still blocks a private bug. Thank you, T.C. To leave this open was correct (the other npm package issue case shipped within Red Hat is in progress still). We will close this bug once the flaw has been corrected in all affected package versions. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Private bug has status "CLOSED ERRATA". Therefore I am closing this bug. Please re-open if required.