Bug 1173614 - (CVE-2019-15608) VUL-0: CVE-2019-15608: yarn: TOCTOU vulnerability leads to cache pollution
(CVE-2019-15608)
VUL-0: CVE-2019-15608: yarn: TOCTOU vulnerability leads to cache pollution
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: Current
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/255125/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-02 09:04 UTC by Alexandros Toptsoglou
Modified: 2020-07-02 09:05 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-02 09:04:58 UTC
CVE-2019-15608

The package integrity validation in yarn < 1.19.0 contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

References:

https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md#1190
https://github.com/yarnpkg/yarn/commit/0474b8c66a8ea298f5e4dedc67b2de464297ad1c
https://hackerone.com/reports/703138

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1851875
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15608
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15608.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15608
https://hackerone.com/reports/703138
Comment 1 Alexandros Toptsoglou 2020-07-02 09:05:51 UTC
Only in TW which ships an already fixed version