Package: node-rimraf Version: 2.5.4-2 Severity: important Tags: upstream Dear Maintainer,
I was inspecting the source to node-rimraf. I believe the code in node-rimraf is unsafe if an adversary can manipulate the contents of the directory tree to be removed, making it unsuitable for use on multiuser machines. In particular, the adversary can cause files outside of the tree to be removed by the following sequence of manipulations: rimraf adversary places a file lstat() -> [not a directory] replaces file with non-empty directory unlink() -> EISDIR rmdir() -> ENOTEMPTY replaces directory with symlink rmkids() -> readdir() [note: readdir follows symlink] At this point, rimraf starts merrily removing stuff outside the intended tree. To be safe, careful use of POSIX *at calls (openat, etc) with appropriate flags (O_NOFOLLOW) is necessary but these are probably not exposed in the node ecosystem. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-rt-amd64 (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages node-rimraf depends on: ii node-glob 7.1.1-1 ii nodejs 4.8.2~dfsg-1 Versions of packages node-rimraf recommends: ii node-graceful-fs 4.1.11-1 node-rimraf suggests no packages. -- no debconf information -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel