Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-10538

Source

Debian Bug report logs - #809252
node-cli: CVE-2016-10538

Package: node-cli; Maintainer for node-cli is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>; Source for node-cli is src:node-cli (PTS, buildd, popcon).

Reported by: Steve Kemp <steve@steve.org.uk>

Date: Mon, 28 Dec 2015 18:33:02 UTC

Severity: critical

Tags: fixed-upstream, security

Found in version node-cli/0.4.4~20120516-1

Fixed in version 0.4.4~20120516-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/node-js-libs/cli/issues/81

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#809252; Package node-cli. (Mon, 28 Dec 2015 18:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Steve Kemp <steve@steve.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Mon, 28 Dec 2015 18:33:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: node-cli
Version: 0.4.4~20120516-1
Severity: critical
Tags: security

Dear Maintainer,

The `node-cli` library makes insecure use of the following two
temporary files:

        lock_file = '/tmp/' + cli.app + '.pid',
        log_file = '/tmp/' + cli.app + '.log';

These allow overwriting files  that the starting-user has permission
to modify.



-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#809252; Package node-cli. (Sun, 06 Nov 2016 20:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jens Krefeldt <j.krefeldt@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Sun, 06 Nov 2016 20:42:04 GMT) (full text, mbox, link).

Message #10 received at 809252@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

pls note that this bug is solved since v1.0.0, see https://github.com/node-js-libs/cli/issues/81 <https://github.com/node-js-libs/cli/issues/81> . Pls could you update this? It is still marked at https://nodesecurity.io/advisories/cli_arbitrary-file-write <https://nodesecurity.io/advisories/cli_arbitrary-file-write> and blames all modules referencing it even in version 1.0.0, e.g https://david-dm.org/deadratfink/jy-transform/development <https://david-dm.org/deadratfink/jy-transform/development>.

Thx and best,
Jens

[Message part 2 (text/html, inline)]

Set Bug forwarded-to-address to 'https://github.com/node-js-libs/cli/issues/81'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 06 Nov 2016 21:09:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 10 Nov 2016 17:33:05 GMT) (full text, mbox, link).

Changed Bug title to 'node-cli: CVE-2016-10538' from 'node-cli: insecure use of temporary files'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 09 Jun 2018 19:06:02 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 10 Feb 2019 22:09:07 GMT) (full text, mbox, link).

Notification sent to Steve Kemp <steve@steve.org.uk>:
Bug acknowledged by developer. (Sun, 10 Feb 2019 22:09:08 GMT) (full text, mbox, link).

Message #21 received at 809252-done@bugs.debian.org (full text, mbox, reply):

Version: 0.4.4~20120516-1+rm

Dear submitter,

as the package node-cli has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/921956

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Mar 2019 07:33:46 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:37:12 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

node-cli: CVE-2016-10538

Debian Bug report logs - #809252
node-cli: CVE-2016-10538

Vulmon Search

About

Products

Connect

node-cli: CVE-2016-10538

Debian Bug report logs - #809252 node-cli: CVE-2016-10538

Vulmon Search

About

Products

Connect

Debian Bug report logs - #809252
node-cli: CVE-2016-10538