Bug 27971 - nodejs-chownr new security issue CVE-2017-18869
Summary: nodejs-chownr new security issue CVE-2017-18869
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-29 10:18 CET by Zombie Ryushu
Modified: 2021-04-02 22:26 CEST (History)
5 users (show)

See Also:
Source RPM: nodejs-chownr-1.0.1-3.mga8.src.rpm
CVE: CVE-2017-18869
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2020-12-29 10:18:01 CET 
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
Zombie Ryushu 2020-12-29 10:18:11 CET

CVE: (none) => CVE-2017-18869

David Walser 2020-12-29 17:11:12 CET

Whiteboard: (none) => MGA7TOO
Summary: nodejs-chownr security issue CVE-2017-18869 => nodejs-chownr new security issue CVE-2017-18869
Status comment: (none) => Fixed upstream in 1.1.0

Comment 1 Aurelien Oudelet 2020-12-29 21:11:37 CET 
This is for you Stig.

CC: (none) => ouaurelien
Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2020-12-30 22:04:17 CET 
version 1.1.4 pushed in cauldron

CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2021-03-15 22:46:20 CET 
fixed in mga7:

src:
    - nodejs-chownr-1.1.0-1.mga7

Status comment: Fixed upstream in 1.1.0 => (none)
Assignee: smelror => qa-bugs

Comment 4 David Walser 2021-03-15 23:43:01 CET 
Advisory:
========================

Updated nodejs-chownr package fixes security vulnerability:

A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow
a local attacker to trick it into descending into unintended directories via
symlink attacks (CVE-2017-18869).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869
Comment 5 Herman Viaene 2021-04-02 14:13:24 CEST 
MGA7-64 MATE on Peaq C1011
No installation issues
This is a developers library. OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2021-04-02 16:56:43 CEST 
Thank you, Herman. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-04-02 21:14:14 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-04-02 22:26:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0169.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.