Source: npm Version: 5.8.0+ds6-4 Severity: important Tags: security upstream
Hi, The following vulnerabilities were published for npm. CVE-2019-16775[0]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It is possible for packages to create symlinks to files | outside of thenode_modules folder through the bin field upon | installation. A properly constructed entry in the package.json bin | field would allow a package publisher to create a symlink pointing to | arbitrary files on a user’s system when the package is | installed. This behavior is still possible through install scripts. | This vulnerability bypasses a user using the --ignore-scripts install | option. CVE-2019-16776[1]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It fails to prevent access to folders outside of the | intended node_modules folder through the bin field. A properly | constructed entry in the package.json bin field would allow a package | publisher to modify and/or gain access to arbitrary files on a | user’s system when the package is installed. This behavior | is still possible through install scripts. This vulnerability bypasses | a user using the --ignore-scripts install option. CVE-2019-16777[2]: | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary | File Overwrite. It fails to prevent existing globally-installed | binaries to be overwritten by other package installations. For | example, if a package was installed globally and created a serve | binary, any subsequent installs of packages that also create a serve | binary would overwrite the previous serve binary. This behavior is | still allowed in local installations and also through install scripts. | This vulnerability bypasses a user using the --ignore-scripts install | option. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775 [1] https://security-tracker.debian.org/tracker/CVE-2019-16776 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776 [2] https://security-tracker.debian.org/tracker/CVE-2019-16777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
