Debian Bug report logs -
#931408
node-fstream: CVE-2019-13173
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 4 Jul 2019 09:15:02 UTC
Severity: important
Tags: pending, security, upstream
Found in version node-fstream/1.0.10-1
Fixed in version node-fstream/1.0.12-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#931408
; Package src:node-fstream
.
(Thu, 04 Jul 2019 09:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Thu, 04 Jul 2019 09:15:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-fstream
Version: 1.0.10-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for node-fstream.
CVE-2019-13173[0]:
| fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite.
| Extracting tarballs containing a hardlink to a file that already
| exists in the system, and a file that matches the hardlink, will
| overwrite the system's file with the contents of the extracted file.
| The fstream.DirWriter() function is vulnerable.
In commit [2], there is open question if that is sufficient.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173
[1] https://www.npmjs.com/advisories/886
[2] https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#931408.
(Thu, 04 Jul 2019 09:36:03 GMT) (full text, mbox, link).
Message #8 received at 931408-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #931408 in node-fstream reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-fstream/commit/101dd4e4645bcff68c0c728380a3edcf35a695e3
------------------------------------------------------------------------
Add patch to fix Arbitrary File Overwrite (Closes: #931408, CVE-2019-13173)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/931408
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 931408-submitter@bugs.debian.org
.
(Thu, 04 Jul 2019 09:36:03 GMT) (full text, mbox, link).
Marked as fixed in versions node-fstream/1.0.12-1.
Request was from Xavier Guimard <yadd@debian.org>
to control@bugs.debian.org
.
(Thu, 04 Jul 2019 10:12:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jul 4 11:21:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.