help with potential security issue in chowner

Question

help with potential security issue in chowner

pravi opened this issue 7 years ago · comments

Pirate Praveen Arimbrathodiyil commented 7 years ago

This was reported long back, but without a response from its original maintainer isaacs/chownr#14

It would be good if some of you can help fix this issue or at least confirm the issue is not serious as it affects cacache as well and it is blocking us from packaging cacache for debian.

Kat Marchán · Answer 1 · Tue Jul 03 2018 03:01:36 GMT+0800 (China Standard Time)

this isn't really a bug in cacache, and I think Debian made the choice to cause its own pain in the neck with the way it packages npm, so I'm just gonna close this as Someone Else's Problem™

Pirate Praveen Arimbrathodiyil · Answer 2 · Tue Jul 03 2018 03:11:34 GMT+0800 (China Standard Time)

@zkat that is wishful thinking. It has nothing to do with debian, just that we found the issue and want to fix it. Are you saying bugs in the dependencies of cacache don't affect cacache? The bug is present even if installed via npmjs.com. If look at the recent comment on the original bug report isaacs/chownr#14 (comment) you will this, the bug is now actually getting fixed in nodejs itself.

Kat Marchán · Answer 3 · Tue Jul 03 2018 03:27:50 GMT+0800 (China Standard Time)

@pravi It's not that it doesn't affect cacache, but that I find it obnoxious for folks to make duplicate issues in multiple repositories when the issue is already being discussed and addressed in its intended place.

I'll bump chownr when it's been fixed on that end. Otherwise, I consider this issue to be a duplicate of the one in the chownr repo

Pirate Praveen Arimbrathodiyil · Answer 4 · Tue Jul 03 2018 03:31:58 GMT+0800 (China Standard Time)

@zkat this was a call for help

Kat Marchán · Answer 5 · Tue Jul 03 2018 06:43:12 GMT+0800 (China Standard Time)

@pravi I'm not a Debian maintainer, and there's literally nothing I'm gonna do except... tell the person who's already aware of the issue that the issue exists. I don't appreciate trying to apply additional pressure like this.

Pirate Praveen Arimbrathodiyil · Answer 6 · Tue Jul 03 2018 13:01:47 GMT+0800 (China Standard Time)

@zkat okay noted, I won't bother you in future about any issues in any of the dependencies. Since I don't know much of JavaScript I always have to ask others who know more JavaScript than me. My intention to ask here was only because I thought you were affected as well by this bug. As I already said, this was not specific to Debian and only found in Debian. More than applying pressure, since chownr is also Free Software, you could have actually fixed it as well. In many cases I got such help were other people sent pull requests when I asked for help. The beauty of Free Software is in its power of allowing anyone to fix any issues if there is an interest.