[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3383-1] grunt security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3383-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
April 05, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : grunt
Version        : 1.0.1-8+deb10u2
CVE ID         : CVE-2022-1537

It was discovered that there was a potential local privilege
escalation in GruntJS, a multipurpose task runner and build system
tool.

file.copy operations in GruntJS were vulnerable to a TOCTOU
("time-of-check vs. time-of-use") race condition that could have led
to arbitrary file writes in GitHub repositories. This could have then
led to local privilege escalation if a lower-privileged user had
write access to both source and destination directories, as the
lower-privileged user could have created a symlink to the GruntJS
user's ~/.bashrc configuration file (etc).

For Debian 10 buster, this problem has been fixed in version
1.0.1-8+deb10u2.

We recommend that you upgrade your grunt packages.

For the detailed security status of grunt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/grunt

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmQtrQ4ACgkQHpU+J9Qx
HliI5Q//QM4L96UBryogVxAWQzd0LAnemHgFZ+l+XNmQVBvwCv7bpFmTkJSroRTp
bsr1oR/kEQ9nca6/t2xdQKuAsKXUlvp1s/GVp2TjWnl5NMgD4bZsE/ybZJG1/2AH
5+mKFE6dMuP+xI1GLNLK/gUpHNvQIeyN4MNyCVCxQ0grVYFflqHJQWyBj4qkXduD
3JhzA0Sx3xdRw6kv+C1CNmb/tP55CyzoPhOiPl/ggo70ACxJN7z2QpPrMYham5+b
V/0ML6QdYGBOi0O4yn7gRhgq+Zb4l67e9aZZ1PxP5BBcrCULEVUGxAPYiqKFt0xu
McZ9ucdP39cAGogWLc1KRLGyXPh4jC9J6EXTTVBR3DUTUMP7Nk8y0jV91MikL2O6
A/iElNy+Om+HhKuOOkBQbdIuQ/qbj5xrxGVCKikpFvG0z3IemrmAmXFO1VXRP7yN
GH6EToem9EHlQ5437jHQQrS1T280WVbJ3Xo68l/JkS5Qq7pDw8bVm4UoLy6l8owj
5kEWK5L+0MU/m04euhOxB/Z/9Bj6zaWxTK/yRFzj/+/EQgRECPzBKJTg1rx8F1TM
9wcUpgcTOFTFxnlxUDkFLVkDLLW2SLtHvlxvv4AlDw6m9NXOFLgrRNbxFj3gbL6z
TzXLpyHWFLqBV36kzsUPOGZ4pu2/ADd7YuQrqZhfK9enWxvzKzI=
=rXpr
-----END PGP SIGNATURE-----


Reply to: