Bugzilla – Bug 1190054
VUL-0: CVE-2021-39134: nodejs4,nodejs6,nodejs8,nodejs14,nodejs12,nodejs10: nodejs-arborist: symlink following vulnerability
Last modified: 2022-08-09 12:11:23 UTC
rh#1999744 @npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is, in part, accomplished by resolving dependency specifiers defined in package.json manifests for dependencies with a specific name, and nesting folders to resolve conflicting dependencies. When multiple dependencies differ only in the case of their name, Arborist's internal data structure saw them as separate items that could coexist within the same level in the node_modules hierarchy. However, on case-insensitive file systems (such as macOS and Windows), this is not the case. Combined with a symlink dependency such as file:/some/path, this allowed an attacker to create a situation in which arbitrary contents could be written to any location on the filesystem. For example, a package pwn-a could define a dependency in their package.json file such as "foo": "file:/some/path". Another package, pwn-b could define a dependency such as FOO: "file:foo.tgz". On case-insensitive file systems, if pwn-a was installed, and then pwn-b was installed afterwards, the contents of foo.tgz would be written to /some/path, and any existing contents of /some/path would be removed. Anyone using npm v7.20.6 or earlier on a case-insensitive filesystem is potentially affected. Reference: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc References: https://bugzilla.redhat.com/show_bug.cgi?id=1999744 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39134 https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc https://www.npmjs.com/package/@npmcli/arborist
This is an autogenerated message for OBS integration: This bug (1190054) was mentioned in https://build.opensuse.org/request/show/930657 Factory / nodejs14
SUSE-SU-2021:3886-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs14-14.18.1-6.18.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs12-12.22.7-4.22.1 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs12-12.22.7-4.22.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3940-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs12-12.22.7-4.22.1
openSUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.3 (src): nodejs14-14.18.1-15.21.2
SUSE-SU-2021:3964-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src): nodejs14-14.18.1-15.21.2 SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): nodejs14-14.18.1-15.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1552-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs14-14.18.1-lp152.17.1
openSUSE-SU-2021:1574-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135 JIRA References: Sources used: openSUSE Leap 15.2 (src): nodejs12-12.22.7-lp152.3.21.1
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514 CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs12-12.22.9-1.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All affected codestreams fixed. Reassigning to security team.
(In reply to Adam Majer from comment #12) > All affected codestreams fixed. Reassigning to security team. Thanks Adam, closing