[Pkg-javascript-devel] Bug#715325: npm: leaves lots of stuff in /tmp
The security issue is fixed there : https://github.com/isaacs/npm/commit/f4d31693 this will eventually come to npm debian package. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 07/10/2013 12:11 PM, Jérémy Lal wrote: The security issue is fixed there : https://github.com/isaacs/npm/commit/f4d31693 this will eventually come to npm debian package. Thanks for the followup on this, jérémy! I confess i'm kind of amazed that node doesn't have any primitive like mkstemp(3), or if it does, that npm isn't using such a primitive. Has a CVE been requested or assigned for this yet? I'd be happy to make the request if you think that would be useful. regards, --dkg signature.asc Description: OpenPGP digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: [oss-security] npm uses predictable temporary filenames when unpacking tarballs
On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote: hi oss-sec folks-- i recently learned that npm, the node.js language-specific package manager, created predictable temporary directory names in a world-writable filesystem (/tmp) by default when unpacking archives. It looks like this might leave open a classic symlink race such that one user could control the location where another user unpacked packages coming from an npm installation. if the superuser was the one running npm, this might have led to a non-privileged user who wins the race getting a privilege escalation as well, depending on the contents of the fetched package. The issue appears to have been fixed upstream today, here: https://github.com/isaacs/npm/commit/f4d31693 I first learned about the problem during a related a bug report http://bugs.debian.org/715325 (cc'ed here) sorry, i should also have mentioned that the upstream bug report is: https://github.com/isaacs/npm/issues/3635 --dkg signature.asc Description: OpenPGP digital signature ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#715325: Bug#715325: npm: leaves lots of stuff in /tmp
On 10/07/2013 18:59, Daniel Kahn Gillmor wrote: I notice that your message was sent privately to me, ../.. feel free to post copies of it to the BTS. My mistake. On 07/10/2013 12:31 PM, Jérémy Lal wrote: On 10/07/2013 18:17, Daniel Kahn Gillmor wrote: I confess i'm kind of amazed that node doesn't have any primitive like mkstemp(3), or if it does, that npm isn't using such a primitive. Using a module : https://github.com/bruce/node-temp heh. and npm can't rely on that because the only way to install it is with npm itself, lovely :/ No, it's perfectly fine for npm to depend on a number of modules, since npm tarball contains its own node_modules. Upstream npm is relatively open to patches that separate functions in a module, and node-temp seems well maintained. Has a CVE been requested or assigned for this yet? I'd be happy to make the request if you think that would be useful. I'm going to upload latest nodejs/npm to unstable this summer, not so sure a CVE is worth it. I appreciate your staying on top of the uploads. I'm not sure how that relates to the relevance or worth of a CVE for the issue, though. I'll go ahead and request one unless there is a strong reason not to. Okay. Jérémy. ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: javascript-common needs an update for apche2.4 transition
Processing commands for cont...@bugs.debian.org: user debian-apa...@lists.debian.org Setting user to debian-apa...@lists.debian.org (was jmv_...@nirgal.com). usertag 710475 +apache24webapptransition There were no usertags set. Usertags are now: apache24webapptransition. block 661958 by 710475 Bug #661958 [release.debian.org] transition: apache2 2.4 661958 was blocked by: 669755 669834 666854 669775 666817 669735 666832 669825 669856 670973 711160 669777 669814 707062 669743 669791 707066 669840 666848 666850 666806 666857 666811 669782 669884 666838 666825 666855 669812 669747 666863 666799 669844 666829 669769 669738 669821 666815 669749 669828 707060 669792 669842 669762 669785 666807 666862 666859 710512 669823 666860 669745 669819 666796 669837 710688 669733 666822 669757 669830 669854 666858 666820 666847 669959 707065 666835 669804 669741 669801 707063 669798 669767 666801 666833 669750 669761 666831 669788 669779 669808 669759 669832 666830 669827 666837 666814 666856 669787 669773 669737 666849 666852 666818 669826 669774 666810 669806 669855 669768 666809 666797 669796 669815 669742 666846 666805 669885 669752 669734 707061 666802 669754 669820 669776 669813 669845 669746 669739 669833 666826 669846 669781 666804 666840 669783 666853 669764 669817 710870 666794 669770 669822 666844 669841 669851 666800 669843 666834 66 9790 669748 711175 666813 709462 669824 669736 669794 669763 669800 666808 669780 669857 669292 666842 669802 666851 669839 669805 669729 669811 707064 669818 669740 669803 669756 666836 669829 666864 666821 669772 669751 669809 669766 666839 669789 669799 669786 669797 714537 669831 669836 669784 661958 was not blocking any bugs. Added blocking bug(s) of 661958: 710475 End of message, stopping processing here. Please contact me if you need assistance. -- 661958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661958 710475: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710475 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel