Bugzilla – Bug 1159352
VUL-0: CVE-2019-16777,CVE-2019-16776,CVE-2019-16775: nodejs6,nodejs8,nodejs10,nodejs12: Arbitrary path overwrite and access via "bin" field
Last modified: 2021-09-03 18:36:48 UTC
Binary Planting with the npm CLI tl;dr - Update to npm v6.13.4 as soon as possible on all your systems to fix a vulnerability allowing arbitrary path access. The Vulnerabilities In versions of npm prior to 6.13.3 (and versions of yarn prior to 1.21.1), a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. In versions of npm prior to 6.13.4 (and all versions of yarn as of this announcement), it was possible for a globally-installed package with a binary entry to overwrite an existing binary in the target install location. (That is, not any arbitrary file on the system, but any file in /usr/local/bin.) A mitigating factor for both vulnerabilities is that a malicious actor would have to get their victim to install the package with the specially crafted bin entry. However, as we have seen in the past, this is not an insurmountable barrier. Current Risk The npm, Inc. security team has been scanning the registry for examples of this attack, and have not found any published packages in the registry with this exploit. That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the registry. We will continue monitoring, and will take action to prevent any bad actors from exploiting this vulnerability in the future. However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible. The Fix The package.json parsing libraries in use in npm v6.13.3 were updated such that they would sanitize and validate all entries in the bin field to remove leading slashes, . and .. path entries, and other means of path escape, using the well tested and highly reliable path utility built into Node.js. The fix was reviewed by npm, Inc.’s security team, and showed that it prevented the arbitrary path manipulation reported. The bin script linking libraries in use in npm v6.13.4 were updated such that, when installing binary entries of top-level globally installed packages, they will only overwrite existing binary files if they are currently installed on behalf of the same package being installed. For example, npm install –global foo could overwrite /usr/local/bin/foo if and only if /usr/local/bin/foo is currently a link to a previously installed version of foo. This second fix was also reviewed by npm, Inc.’s security team, and showed that it prevented the bin file overwriting exploit. To patch both vulnerabilities, please run npm install -g npm@6.13.4 as soon as possible. Thank you! The vulnerabilities were responsibly reported by Daniel Ruf, and we greatly appreciate Daniel’s help in keeping our community safe. References https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli https://github.com/nodejs/node/pull/30904
With this version update the following CVEs are taken care: CVE-2019-16777: Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. CVE-2019-16776: Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. CVE-2019-16775: Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behavior is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Created attachment 826263 [details] reproducer 1. tar cvf tests.tar 2. touch /tmp/overwrite 3. mkdir foo 4. cd foo 5. npm init 6. NPM_UNDER_TEST install --save ../cve_test On vulnerable system, this will create /tmp/overwrite will be overwritten by symlink to empty index.js /tmp/testing will have a symlink to empty index.js /tmp/bash will be a symlink to /bin/bash To re-run the test, since the ../cve_test is a saved dependency, in the foo directory 1. rm -rf node_modules; rm -f /tmp/{overwrite,testing,bash}; touch /tmp/overwrite 2. NPM_UNDER_TEST install On a non-vulnerable system, this will generate an error > ENOENT: no such file or directory, chmod '/home/adamm/foo/node_modules/cve_test/bin/bash' > enoent This is related to npm not being able to find a file. To verify other two fixes, edit cve_test/package.json and remove the entry for /bin/bash and re-run the test. This should not create any entries under /tmp and only create symlinks under foo/node_modules/.bin/{testing,overwrite} that point to the index.js script.
This is an autogenerated message for OBS integration: This bug (1159352) was mentioned in https://build.opensuse.org/request/show/758472 Factory / nodejs12 https://build.opensuse.org/request/show/758473 Factory / nodejs10
This is an autogenerated message for OBS integration: This bug (1159352) was mentioned in https://build.opensuse.org/request/show/759700 Factory / nodejs10
SUSE-SU-2020:0043-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1149792,1159352 CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): nodejs8-8.17.0-3.25.1 SUSE Linux Enterprise Module for Web Scripting 15 (src): nodejs8-8.17.0-3.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0063-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1149792,1159352,1159812 CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs10-10.18.0-1.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0059-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1149792,1159352 CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777 Sources used: openSUSE Leap 15.1 (src): nodejs8-8.17.0-lp151.2.9.1
SUSE-SU-2020:0104-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1149792,1159352,1159812 CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): nodejs10-10.18.0-1.15.1 SUSE Linux Enterprise Module for Web Scripting 15 (src): nodejs10-10.18.0-1.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0247-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1159352 CVE References: CVE-2019-16775,CVE-2019-16776,CVE-2019-16777 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): nodejs6-6.17.1-11.30.1 SUSE OpenStack Cloud Crowbar 8 (src): nodejs6-6.17.1-11.30.1 SUSE OpenStack Cloud 7 (src): nodejs6-6.17.1-11.30.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs6-6.17.1-11.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
SUSE-SU-2020:0429-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1159352,1163102,1163103,1163104 CVE References: CVE-2019-15604,CVE-2019-15605,CVE-2019-15606,CVE-2019-16775,CVE-2019-16776,CVE-2019-16777 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.15.0-1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.