Related Vulnerabilities: CVE-2013-4116

Source

Debian Bug report logs - #715325
npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs

Package: npm; Maintainer for npm is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>; Source for npm is src:npm (PTS, buildd, popcon).

Reported by: Shawn Landden <shawnlandden@gmail.com>

Date: Mon, 8 Jul 2013 03:12:02 UTC

Severity: normal

Tags: security

Found in version npm/1.2.18~dfsg-3

Fixed in versions npm/1.3.10~dfsg-1, 1.3.3

Done: Jérémy Lal <kapouer@melix.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/isaacs/npm/issues/3635

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, shawnlandden@gmail.com, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Mon, 08 Jul 2013 03:12:06 GMT) (full text, mbox, link).

Acknowledgement sent to Shawn Landden <shawnlandden@gmail.com>:
New Bug report received and forwarded. Copy sent to shawnlandden@gmail.com, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Mon, 08 Jul 2013 03:12:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: npm
Version: 1.2.18~dfsg-3
Severity: normal

I installed a few packages yesterday, and today realized npm was wasting 50M
of my ram with copies of what it downloaded still in /tmp/npm-# folders

it should clean this up, put it in /var/cache, and/or have a command to clean up

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.9-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages npm depends on:
ii  node-abbrev             1.0.4-1
ii  node-ansi               0.1.2~dfsg1-1
ii  node-archy              0.0.2-1
ii  node-block-stream       0.0.6-1
ii  node-fstream            0.1.22-1
ii  node-fstream-ignore     0.0.6-2
ii  node-glob               3.2.1-2
ii  node-graceful-fs        1.2.1-2
ii  node-gyp                0.9.5-2
ii  node-inherits           0.1-1
ii  node-ini                1.1.0-1
ii  node-lockfile           0.3.1-1
ii  node-lru-cache          2.3.0-1
ii  node-minimatch          0.2.11-1
ii  node-mkdirp             0.3.3-1
ii  node-nopt               2.1.1-1
ii  node-npmlog             0.0.2-1
ii  node-once               1.1.1-1
ii  node-osenv              0.0.3-1
ii  node-read               1.0.4-1
ii  node-read-package-json  0.3.1-3
ii  node-request            2.9.153-1
ii  node-retry              0.6.0-1
ii  node-rimraf             2.1.4-1
ii  node-semver             1.1.4-1
ii  node-slide              1.1.4-1
ii  node-tar                0.1.17-1
ii  node-which              1.0.5-2
ii  nodejs                  0.10.11~dfsg1-1

npm recommends no packages.

npm suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Mon, 08 Jul 2013 07:36:09 GMT) (full text, mbox, link).

Acknowledgement sent to Jérémy Lal <kapouer@melix.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Mon, 08 Jul 2013 07:36:09 GMT) (full text, mbox, link).

Message #10 received at 715325@bugs.debian.org (full text, mbox, reply):

On 08/07/2013 05:08, Shawn Landden wrote:
> Package: npm
> Version: 1.2.18~dfsg-3
> Severity: normal
> 
> I installed a few packages yesterday, and today realized npm was wasting 50M
> of my ram with copies of what it downloaded still in /tmp/npm-# folders
> 
> it should clean this up, put it in /var/cache, and/or have a command to clean up

Issue reproduced.
As a quick workaround, you can create ~/tmp and npm will use that instead.
Otherwise i believe those leftovers are a bug.

Jérémy.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Mon, 08 Jul 2013 10:42:09 GMT) (full text, mbox, link).

Message #15 received at 715325@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/08/2013 03:33 AM, Jérémy Lal wrote:
> On 08/07/2013 05:08, Shawn Landden wrote:
>
>> I installed a few packages yesterday, and today realized npm was wasting 50M
>> of my ram with copies of what it downloaded still in /tmp/npm-# folders

I haven't tried to reproduce this yet, but it sounds to me like you
might be saying that the names of the /tmp/npm-# folders might be
predictably named (e.g. named after the process id).  Is this the case?
 If so, has anyone considered the possibility of an attack via
predictable paths in a world-writable directory?

>> it should clean this up, put it in /var/cache, and/or have a command to clean up
> 
> Issue reproduced.
> As a quick workaround, you can create ~/tmp and npm will use that instead.
> Otherwise i believe those leftovers are a bug.

it's buggy if it doesn't clean up, regardless of which tmp directory it
uses.  and npm should probably be respecting $TMPDIR directly following
the standard unix conventions, rather than just assuming that the
magically-named ~/tmp is preferable to /tmp.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 715325@bugs.debian.org (full text, mbox, reply):

On 08/07/2013 12:38, Daniel Kahn Gillmor wrote:
> On 07/08/2013 03:33 AM, Jérémy Lal wrote:
>> On 08/07/2013 05:08, Shawn Landden wrote:
>>
>>> I installed a few packages yesterday, and today realized npm was wasting 50M
>>> of my ram with copies of what it downloaded still in /tmp/npm-# folders
> 
> 
> I haven't tried to reproduce this yet, but it sounds to me like you
> might be saying that the names of the /tmp/npm-# folders might be
> predictably named (e.g. named after the process id).  Is this the case?
>  If so, has anyone considered the possibility of an attack via
> predictable paths in a world-writable directory?

I am curious about how `npm install mymodule` could be a target for an attacker,
especially considering the temp directory is used only once (at (un)tar times).


>>> it should clean this up, put it in /var/cache, and/or have a command to clean up
>>
>> Issue reproduced.
>> As a quick workaround, you can create ~/tmp and npm will use that instead.
>> Otherwise i believe those leftovers are a bug.
> 
> it's buggy if it doesn't clean up, regardless of which tmp directory it

This is what i meant by writing "issue reproduced".

> uses.  and npm should probably be respecting $TMPDIR directly following
> the standard unix conventions, rather than just assuming that the
> magically-named ~/tmp is preferable to /tmp.

Agreed, the workaround i proposed is completely wrong,
please read what `man npm-config` says about TMPDIR instead.

Jérémy.

Message #25 received at 715325@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/08/2013 07:55 AM, Jérémy Lal wrote:

> I am curious about how `npm install mymodule` could be a target for an attacker,
> especially considering the temp directory is used only once (at (un)tar times).

if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an
attacker could watch the process table for a process named "npm", and as
soon as it appears (say, as pid 13577, create a symlink at
/tmp/npm-13577 that points to, say, the home directory of the user npm,
which might have the effect of clobbering any similarly-named files.

This is a crude attack, but depending on the contents of the tarball it
could be pretty unfortunate (e.g. if the tarball contains a file named
secring.gpg, and the attacker points the symlink to the victim's
~/.gnupg ?).

> Agreed, the workaround i proposed is completely wrong,
> please read what `man npm-config` says about TMPDIR instead.

http://sources.debian.net/src/npm/1.2.18~dfsg-3/doc/cli/config.md#L756
suggests that it is supposed to use TMPDIR, which is good :)

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 715325@bugs.debian.org (full text, mbox, reply):

On 08/07/2013 14:23, Daniel Kahn Gillmor wrote:> On 07/08/2013 07:55 AM, Jérémy Lal wrote:
> 
>> I am curious about how `npm install mymodule` could be a target for an attacker,
>> especially considering the temp directory is used only once (at (un)tar times).
> 
> if the tmpdir is predictably-named (e.g. it is /tmp/npm-$PID), then an
> attacker could watch the process table for a process named "npm", and as
> soon as it appears (say, as pid 13577, create a symlink at
> /tmp/npm-13577 that points to, say, the home directory of the user npm,
> which might have the effect of clobbering any similarly-named files.
> 
> This is a crude attack, but depending on the contents of the tarball it
> could be pretty unfortunate (e.g. if the tarball contains a file named
> secring.gpg, and the attacker points the symlink to the victim's
> ~/.gnupg ?).


I still do not understand if this is really a security issue.
IMO if a program on your system does that, the whole system is compromised,
you can't really be hardening any software against it.

If you disagree, do you mind if we move this discussion to upstream
[nodejs] discussion group ? We'll probably find some enlightment there.

Jérémy.

Message #35 received at 715325@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/08/2013 08:36 AM, Jérémy Lal wrote:
> I still do not understand if this is really a security issue.
> IMO if a program on your system does that, the whole system is compromised,
> you can't really be hardening any software against it.

what we're talking about is a classic symlink attack.  I haven't tried
to verify it with npm myself, but using predictable tmpfile names in
world-writable directories is the usual gateway to a vulnerability here.

> If you disagree, do you mind if we move this discussion to upstream
> [nodejs] discussion group ? We'll probably find some enlightment there.

I'm not on the upstream nodejs discussion group, but if you want to cc
me on discussion there, i'd be happy to chime in.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'https://github.com/isaacs/npm/issues/3635'. Request was from Jérémy Lal <kapouer@melix.org> to control@bugs.debian.org. (Mon, 08 Jul 2013 13:48:07 GMT) (full text, mbox, link).

Acknowledgement sent to dod@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Mon, 08 Jul 2013 14:18:15 GMT) (full text, mbox, link).

Message #42 received at 715325@bugs.debian.org (full text, mbox, reply):

On Monday 08 July 2013 14:36:24 Jérémy Lal wrote:
> I still do not understand if this is really a security issue.
> IMO if a program on your system does that, the whole system is compromised,
> you can't really be hardening any software against it.

A symlink attack is done by a user of a system against another user on the 
same system. This is not a worry on your laptop, but may be an issue on a 
bigger server in a data center

HTH

-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org

Message #47 received at 715325@bugs.debian.org (full text, mbox, reply):

On 08/07/2013 16:06, Dominique Dumont wrote:
> On Monday 08 July 2013 14:36:24 Jérémy Lal wrote:
>> I still do not understand if this is really a security issue.
>> IMO if a program on your system does that, the whole system is compromised,
>> you can't really be hardening any software against it.
> 
> A symlink attack is done by a user of a system against another user on the 
> same system. This is not a worry on your laptop, but may be an issue on a 
> bigger server in a data center

Thank you for the explanation.
Somehow I understood it was important and forwarded the bug upstream.

Jérémy.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Wed, 10 Jul 2013 16:12:31 GMT) (full text, mbox, link).

Acknowledgement sent to Jérémy Lal <kapouer@melix.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 10 Jul 2013 16:12:32 GMT) (full text, mbox, link).

Message #52 received at 715325@bugs.debian.org (full text, mbox, reply):

The security issue is fixed there :
https://github.com/isaacs/npm/commit/f4d31693

this will eventually come to npm debian package.

Jérémy.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Wed, 10 Jul 2013 16:21:07 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 10 Jul 2013 16:21:07 GMT) (full text, mbox, link).

Message #57 received at 715325@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/10/2013 12:11 PM, Jérémy Lal wrote:
> The security issue is fixed there :
> https://github.com/isaacs/npm/commit/f4d31693
> 
> this will eventually come to npm debian package.

Thanks for the followup on this, jérémy!

I confess i'm kind of amazed that node doesn't have any primitive like
mkstemp(3), or if it does, that npm isn't using such a primitive.

Has a CVE been requested or assigned for this yet?  I'd be happy to make
the request if you think that would be useful.

regards,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Wed, 10 Jul 2013 20:10:55 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 10 Jul 2013 20:10:55 GMT) (full text, mbox, link).

Message #62 received at 715325@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

hi oss-sec folks--

i recently learned that npm, the node.js language-specific package
manager, created predictable temporary directory names in a
world-writable filesystem (/tmp) by default when unpacking archives.

It looks like this might leave open a classic symlink race such that one
user could control the location where another user unpacked packages
coming from an npm installation.

if the superuser was the one running npm, this might have led to a
non-privileged user who wins the race getting a privilege escalation as
well, depending on the contents of the fetched package.

The issue appears to have been fixed upstream today, here:

  https://github.com/isaacs/npm/commit/f4d31693

I first learned about the problem during a related a bug report
http://bugs.debian.org/715325 (cc'ed here)

If you think this needs a CVE, could you assign one please?

Regards,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Wed, 10 Jul 2013 20:10:58 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 10 Jul 2013 20:10:58 GMT) (full text, mbox, link).

Message #67 received at 715325@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
> hi oss-sec folks--
> 
> i recently learned that npm, the node.js language-specific package
> manager, created predictable temporary directory names in a
> world-writable filesystem (/tmp) by default when unpacking archives.
> 
> It looks like this might leave open a classic symlink race such that one
> user could control the location where another user unpacked packages
> coming from an npm installation.
> 
> if the superuser was the one running npm, this might have led to a
> non-privileged user who wins the race getting a privilege escalation as
> well, depending on the contents of the fetched package.
> 
> The issue appears to have been fixed upstream today, here:
> 
>   https://github.com/isaacs/npm/commit/f4d31693
> 
> I first learned about the problem during a related a bug report
> http://bugs.debian.org/715325 (cc'ed here)

sorry, i should also have mentioned that the upstream bug report is:

https://github.com/isaacs/npm/issues/3635

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Wed, 10 Jul 2013 21:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jérémy Lal <kapouer@melix.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 10 Jul 2013 21:33:04 GMT) (full text, mbox, link).

Message #72 received at 715325@bugs.debian.org (full text, mbox, reply):

On 10/07/2013 18:59, Daniel Kahn Gillmor wrote:
> I notice that your message was sent privately to me,
> ../.. feel free to post copies of it to the BTS.

My mistake.
 
> On 07/10/2013 12:31 PM, Jérémy Lal wrote:
>> On 10/07/2013 18:17, Daniel Kahn Gillmor wrote:
> 
>>> I confess i'm kind of amazed that node doesn't have any primitive like
>>> mkstemp(3), or if it does, that npm isn't using such a primitive.
>>
>> Using a module :
>> https://github.com/bruce/node-temp
> 
> heh.  and npm can't rely on that because the only way to install it is
> with npm itself, lovely :/

No, it's perfectly fine for npm to depend on a number of modules,
since npm tarball contains its own node_modules.
Upstream npm is relatively open to patches that separate functions in a module,
and node-temp seems well maintained.

>>> Has a CVE been requested or assigned for this yet?  I'd be happy to make
>>> the request if you think that would be useful.
>>
>> I'm going to upload latest nodejs/npm to unstable this summer,
>> not so sure a CVE is worth it.
> 
> I appreciate your staying on top of the uploads.  I'm not sure how that
> relates to the relevance or worth of a CVE for the issue, though.
> 
> I'll go ahead and request one unless there is a strong reason not to.

Okay.

Jérémy.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#715325; Package npm. (Thu, 11 Jul 2013 18:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to kseifried@redhat.com:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Thu, 11 Jul 2013 18:09:04 GMT) (full text, mbox, link).

Message #77 received at 715325@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/10/2013 02:04 PM, Daniel Kahn Gillmor wrote:
> On 07/10/2013 04:02 PM, Daniel Kahn Gillmor wrote:
>> hi oss-sec folks--
>> 
>> i recently learned that npm, the node.js language-specific
>> package manager, created predictable temporary directory names in
>> a world-writable filesystem (/tmp) by default when unpacking
>> archives.
>> 
>> It looks like this might leave open a classic symlink race such
>> that one user could control the location where another user
>> unpacked packages coming from an npm installation.
>> 
>> if the superuser was the one running npm, this might have led to
>> a non-privileged user who wins the race getting a privilege
>> escalation as well, depending on the contents of the fetched
>> package.
>> 
>> The issue appears to have been fixed upstream today, here:
>> 
>> https://github.com/isaacs/npm/commit/f4d31693
>> 
>> I first learned about the problem during a related a bug report 
>> http://bugs.debian.org/715325 (cc'ed here)
> 
> sorry, i should also have mentioned that the upstream bug report
> is:
> 
> https://github.com/isaacs/npm/issues/3635
> 
> --dkg
> 

Thanks for the link. Please use CVE-2013-4116 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR3vPaAAoJEBYNRVNeJnmT8ZwQAJS140zo7n/dDJnJgpwThcW1
M0INoGUbHuOFYNbeNVG2/k72BxA7vpYCTvdmQBtDaA5hdVl6qWVJMC3IgwlX8Lfk
VD3QmOGL4vQNtTYpiT1lugF30NG+Kd2aIVwvCtnqFKgJ4URBisfLjyQjaBldD16+
Jun+64OVNAxHd5xJLIRQ4q8CXOMUA1rnIsIYCcjCEcoRJkmKGelllrsUe/GgyF0X
lFa9UmGAsCTUBsXO/iCl3ES9pEtYDlAqltmgvRjuT6wQrtz7rX9I5yKqo6Nt+Pcv
d4y6bj+h/qlktPT5lHQ2UacI06OgGjl6u7dubDJv7QGkfmJ0Q2DW95mhlQndlG+Z
yNj/k/YIBcRPXhIIqAnEMfWzBNk8RxxAfXxFE3+x2+X2xcnNnC+RW2djATAYmJRF
JBjzbDQ0aYa+3Le1H1jx76a5+aCir6jcB0d7iPkRIjRzxZ8+iw48I799CoC5pUPQ
w/QUc/OSLTwa9mqPs/t8KBdltmGzmB7RmN5x2it2ub2aWLHvpZi+tAO/1s9jlUh4
NuXF7k0U6nHTI1k8kQkyTrTycrLONiMdEk2ec/4ly1KL01E9cDX2fC5ZTPBvg99U
/iFW97bPmQbzoszGOe63DKgemXVYix0FxxYKjb6bb4u+PeU52wV5zJvSyonBGNCW
5OfzVu/yC6SJAMzzdbKl
=1P+S
-----END PGP SIGNATURE-----

Changed Bug title to 'npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs' from 'npm: leaves lots of stuff in /tmp' Request was from "Henri Salo" <fgeek@nerv.fi> to control@bugs.debian.org. (Thu, 11 Jul 2013 18:33:04 GMT) (full text, mbox, link).

Added tag(s) security. Request was from "Henri Salo" <fgeek@nerv.fi> to control@bugs.debian.org. (Thu, 11 Jul 2013 18:36:05 GMT) (full text, mbox, link).

Reply sent to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility. (Mon, 09 Sep 2013 13:27:10 GMT) (full text, mbox, link).

Notification sent to Shawn Landden <shawnlandden@gmail.com>:
Bug acknowledged by developer. (Mon, 09 Sep 2013 13:27:10 GMT) (full text, mbox, link).

Message #86 received at 715325-done@bugs.debian.org (full text, mbox, reply):

The upstream fix is present in npm since version 1.3.3,
see
https://github.com/isaacs/npm/commit/f4d31693e73a963574a88000580db1a716fe66f1

Closing this bug.

Jérémy.

Marked as fixed in versions 1.3.3. Request was from Jonas Smedegaard <dr@jones.dk> to control@bugs.debian.org. (Mon, 09 Sep 2013 14:15:16 GMT) (full text, mbox, link).

Marked as fixed in versions 1.3.10+dfsg-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 31 Oct 2013 20:07:04 GMT) (full text, mbox, link).

No longer marked as fixed in versions 1.3.10+dfsg-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sun, 24 Nov 2013 20:40:38 GMT) (full text, mbox, link).

Marked as fixed in versions npm/1.3.10~dfsg-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sun, 24 Nov 2013 20:40:39 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 23 Dec 2013 07:31:25 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:59:51 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs

Debian Bug report logs - #715325
npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs

Vulmon Search

About

Products

Connect

npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs

Debian Bug report logs - #715325 npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs

Vulmon Search

About

Products

Connect

Debian Bug report logs - #715325
npm: CVE-2013-4116: predictable temporary filenames when unpacking tarballs