Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

node-growl: CVE-2017-16042: Does not properly sanitize input before passing it to exec

Related Vulnerabilities: CVE-2017-16042  

Source

Debian Bug report logs - #900868
node-growl: CVE-2017-16042: Does not properly sanitize input before passing it to exec

version graph

Package: src:node-growl; Maintainer for src:node-growl is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 6 Jun 2018 06:33:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version node-growl/1.7.0-1

Fixed in version node-growl/1.10.5-1

Done: Bastien Roucariès <rouca@debian.org>

Forwarded to https://github.com/tj/node-growl/issues/60

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#900868; Package src:node-growl. (Wed, 06 Jun 2018 06:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 06 Jun 2018 06:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: node-growl: CVE-2017-16042: Does not properly sanitize input before passing it to exec
Date: Wed, 06 Jun 2018 08:28:31 +0200
Source: node-growl
Version: 1.7.0-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/tj/node-growl/issues/60

Hi,

The following vulnerability was published for node-growl.

CVE-2017-16042[0]:
| Growl adds growl notification support to nodejs. Growl before 1.10.2
| does not properly sanitize input before passing it to exec, allowing
| for arbitrary command execution.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-16042
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16042
[1] https://github.com/tj/node-growl/issues/60

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 11 Jun 2018 17:39:07 GMT) (full text, mbox, link).

Reply sent to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility. (Tue, 07 Aug 2018 13:09:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 07 Aug 2018 13:09:04 GMT) (full text, mbox, link).

Message #12 received at 900868-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>
To: 900868-close@bugs.debian.org
Subject: Bug#900868: fixed in node-growl 1.10.5-1
Date: Tue, 07 Aug 2018 13:04:58 +0000
Source: node-growl
Source-Version: 1.10.5-1

We believe that the bug you reported is fixed in the latest version of
node-growl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 900868@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated node-growl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Aug 2018 14:35:18 +0200
Source: node-growl
Binary: node-growl
Architecture: source
Version: 1.10.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 node-growl - unobtrusive notification system for nodejs
Closes: 763988 900868
Changes:
 node-growl (1.10.5-1) unstable; urgency=medium
 .
   * Team upload
   * Bug fix: "New upstream version", thanks to Leo Iannacone
     (Closes: #763988).
   * Bug fix: "CVE-2017-16042: Does not properly sanitize input before
     passing it to exec", thanks to Salvatore Bonaccorso (Closes: #900868).
   * Bump compat and policy
Checksums-Sha1:
 ccbf5fdb65617826f72508e00f6bed7cd4b87af0 2022 node-growl_1.10.5-1.dsc
 cf928da55f9f301f4e5aaf6bb2edf4a19d886f45 17927 node-growl_1.10.5.orig.tar.gz
 17e19fdf5d4fd39290262554d222d1dda00abbe2 2888 node-growl_1.10.5-1.debian.tar.xz
 d3a60e93a2c75295380c9c9496fb439d279b95c8 5903 node-growl_1.10.5-1_source.buildinfo
Checksums-Sha256:
 53fa2f3359c3d2f29d9b7ad56edecb49006a62cc40ce6dc133a57e9f82943305 2022 node-growl_1.10.5-1.dsc
 853d2d9ebacbd0e7f00333227ae2709a9b2d2011a1a63da4f8b0f7aa7c7247d2 17927 node-growl_1.10.5.orig.tar.gz
 208b133ba316cee861d77054c3123c4c09f71fa8cd1e2deac6a0df455fcf8a30 2888 node-growl_1.10.5-1.debian.tar.xz
 39760f7fc834bf58d07dd077b67e6d1120ba51f6ac60819fe2fdce2e75750f94 5903 node-growl_1.10.5-1_source.buildinfo
Files:
 a7663ada8b108191be6ac4418798dfdc 2022 javascript optional node-growl_1.10.5-1.dsc
 d1061eb935b16899de8ef13595950f95 17927 javascript optional node-growl_1.10.5.orig.tar.gz
 0d5457f82aff782529cc407dcbb2a195 2888 javascript optional node-growl_1.10.5-1.debian.tar.xz
 f40c063455448627ad8f83e4df4e8deb 5903 javascript optional node-growl_1.10.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAltplZMACgkQADoaLapB
CF9Ecw//c4Qf3cPF+jtReJt5gKOL2phiUOyjMmyMoiOFKz7az3PcvJNZdxJnDyAI
DDWvQCnoymNFPB3X6INF9Gi4L0z58oHwuTxlCQFbCnJJrWG2PGtbXsRqq6i7t6ku
j/2MnmlsoLhAQ6NVRUz28KtAKayVXlesclHX6xRTb+zbknZGqoEuqtxbnYT5biwm
SgPv7zquKxjOxYuLBbQK7dLAv4HS3sGIiei63Wq0hVqV28G6+SiXQ5sOdNEfuoB7
UAurcR+LRceGSSTDoJYybS8vWievx28gqiEguFCaf2oiG1tKqatm2KsWbwLFyzPa
H2cwFIh+byYQmNN4idl9x7j5megEn7ht8cJhv6Rqitsb7PuxG6Co3y1MBiXCSvDQ
TByuhFFyXrfemC32ZWIjh5Lhh4g2hk+yCzHgbr6NUEzBarlgSW0Fu1amd1s1y5uL
O+nKCrthmKfk3Sf8QIk/oErppPs6Wd9c8RumSQV9SuyH2ymred7h4XzP+D3PB8C5
Uv1+UqkuG6bkviYwpYikNZqWmed/8vx9YzIPoShF7uVg8HyuctNFne/ZmedbQYzv
Sz/zbGA+vkTD9GenNgDI6J8htSb1W0VSwykIxMiQewKaPdqNwOO2VF9f7kWW+lQk
3J/eGCwEi1tNL4BshoRC8zwvKdYokbyFimFNakZMaVcQ/nFRaQk=
=nT3k
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:11:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started