[High] Snyk: Arbitrary File Overwrite (due 6/15/19)

[jason-upchurch]

Arbitrary File Overwrite

Vulnerable module: fstream
Introduced through: npm@6.8.0

Detailed paths and remediation

• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › libnpm@2.0.1 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › libcipm@3.0.3 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › libnpm@2.0.1 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › libcipm@3.0.3 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › tar@2.2.1 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › npm-lifecycle@2.1.0 › node-gyp@3.8.0 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › node-gyp@3.8.0 › tar@2.2.1 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
• Introduced through: fec-cms@1.0.0 › npm@6.8.0 › node-gyp@3.8.0 › fstream@1.0.11
  Remediation: Your dependencies are out of date, otherwise you would be using a newer fstream than fstream@1.0.11. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.

Vulnerable functions

lib/writer.Writer.prototype._stat.statCb()

Overview

fstream is a None

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Remediation

Upgrade fstream to version 1.0.12 or higher.

[rfultz]

Moving this to blocked since we're still waiting on an update to node-gyp and npm and we're not using the tarball functionality.

[dorothyyeager]

Still blocked; moving to 9.2.

[dorothyyeager]

Moving to 9.4; PR needs review.