- Package:
- src:node-tmp
- Source:
- src:node-tmp
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-22 15:35:12 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for node-tmp. CVE-2025-54798[0]: | tmp is a temporary file and directory creator for node.js. In | versions 0.2.3 and below, tmp is vulnerable to an arbitrary | temporary file / directory write via symbolic link dir parameter. | This is fixed in version 0.2.4. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54798 https://www.cve.org/CVERecord?id=CVE-2025-54798 [1] https://github.com/raszi/node-tmp/issues/207 [2] https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6 [3] https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b Regards, Salvatore
Dear maintainer, I've prepared an NMU for node-tmp (versioned as 0.2.2+dfsg+~0.2.3-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
We believe that the bug you reported is fixed in the latest version of node-tmp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1110532@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated node-tmp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 10 Aug 2025 22:14:13 +0300 Source: node-tmp Architecture: source Version: 0.2.2+dfsg+~0.2.3-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1110532 Changes: node-tmp (0.2.2+dfsg+~0.2.3-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2025-54798: Arbitrary file write (Closes: #1110532) Checksums-Sha1: 2241160e8fa339e867405c8960567b928898ea79 2414 node-tmp_0.2.2+dfsg+~0.2.3-1.1.dsc 72dce586955aff2e73c249fcac335c07089ee75b 9008 node-tmp_0.2.2+dfsg+~0.2.3-1.1.debian.tar.xz Checksums-Sha256: e4e5db435a9c84538d047b4586b2ff5343b908e8745c24ac7fac08955de4693e 2414 node-tmp_0.2.2+dfsg+~0.2.3-1.1.dsc 88277bbc9241c1f0b0b6ccf41f14fa744cbd4aacd2893f25cf87960646086bb4 9008 node-tmp_0.2.2+dfsg+~0.2.3-1.1.debian.tar.xz Files: 8ca29f45d21ea0c4a73555a6052a79fc 2414 javascript optional node-tmp_0.2.2+dfsg+~0.2.3-1.1.dsc f2484f6e801d815b4db8dcb98534960f 9008 javascript optional node-tmp_0.2.2+dfsg+~0.2.3-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiY80YACgkQiNJCh6LY mLEGug/5AWp5dp1I7zKP401enpYHKjuHtYaAucvTPkUkN3pHPtFhBOBpM+orrfFv puilAqrlsji8j8K2P6JWXBk3j1p0/5LIyVUNI4deUc/zzkuE+9hZMbFsOA43iJui ywtZFn4o4lPpBGb21IhChK+j+AUyvzg9BNcRT+h3xeH7YkN81yfPRuowKf7A4zw+ bQe+fLUyMEmnnSRLl1wFHcc7D7B5wQZvuxIXO25mZq0LU8yS1KOtnKI9MV6+wsPH R11cFyXIKxVH7w0XqOEIAjn/56d/aiyE0hL+je49i6M5Fo/pOSmTeRFSYEw9rwnv IfU/nSukvHW/gnvdZvhrpZwDkdnXAq5JTYqWCxpUHrwDdKFTcyna3mK/7ZulwGw6 fSgz7Jd+dr1KqLF7qlr31KfG+PanpwdsZ+Xvbj/NCFeN5de8dLKqhBofr/ZgC4L3 /f3Q+jOrteJBVApv5ALcMQd9tXLgEHFElZhzAwbXdDcStlhYOvwX7kdrBDubO7Hq ej2J6J0gTGjE3H+QMaOrDIZONLoGXG7FpDcQnIwSM7OKK1e0rDr99wjBAwXmp7Lk uoXmuuiKIo3kmv16m9s6qLvgfuzItTmiZd8iAgS+VDcDLDjwXb2cGYNj1xINHvrz MeZo1Ab1S6y4CdGfk2JTHIOeQMSNInGGmchjCsX6J006WicF96o= =P6pK -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of node-tmp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1110532@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated node-tmp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 17 Aug 2025 19:11:35 +0300 Source: node-tmp Architecture: source Version: 0.2.2+dfsg+~0.2.3-1.1~deb13u1 Distribution: trixie Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1110532 Changes: node-tmp (0.2.2+dfsg+~0.2.3-1.1~deb13u1) trixie; urgency=medium . * Non-maintainer upload. * Rebuild for trixie. . node-tmp (0.2.2+dfsg+~0.2.3-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2025-54798: Arbitrary file write (Closes: #1110532) Checksums-Sha1: a3a4c71b0ac15e57e33b6822c4fa5f29c09a7a56 2446 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.dsc 318af326f4f2f8c54cacea40e1b0f89a97ffa6ad 9036 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.debian.tar.xz Checksums-Sha256: 9de3789ba13a0aafcffd3b997174ef6f47b5b460fee79d807dcfd4359ba0733e 2446 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.dsc a9956fcebc86c0eb3ff8a13965ed8474700c791f4f4d950f187bde8ac5b48c67 9036 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.debian.tar.xz Files: e84fc52b469c1d4d06abc9cec78c34f9 2446 javascript optional node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.dsc ad777a1ee8c65dedbb8aac63a5e14c3b 9036 javascript optional node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiiTKIACgkQiNJCh6LY mLGS2hAAxv1fulJMoKqfcSDC6dlMs/bF9mgK3P8Yt9DgEbo+y+H4aEngUFyAH3IO gLMsmu7y0SXf4KZlu0+MIZ2qCRlQLlrhJ9J5h1U6ERm06nqZP/gwOwuBwoE59YQP mV7Xcff/djc6GqJoV1e4sIWWMn2gvYNJy1UDdolZj7gLnRvfitqT4gE4g5YxhIdO RHflUHY8uJiAgM8G82qxzZi91+/rFGqhul9F/Jt5SsGvWVCP45dh5yaPc17FQdyS XGeyeSa5xh7CBsL2DmWw7Um6zdJYlG9OO2kNMMNnEviWCe//HWUHUUfFi5wIFlIM ILRpBE54a8dfhfmpZj3vrrn8SWMlk/pzuQWJxEuqjdpdmECnoW0x2cuvfoNk96As 2tIgvMKWlvy2cMiXzXCXd4Yejo+bZNiHKR0bMXeSoIJPpb4/OUt4u+Vx1jL8Ofnf VRL+Y+qhwn/AxT/TDtCANue8ScL53qdtkD5IWFYa789FDkVtU8IDtPEajVEkQKVU ubXLxSadGSGE2ZJyOSQTQTe6GpLxsVeYv+AjNWDXBn4iBCNCOZZDXku1T6VfO5Yt m6bhtnXSrBGK+HP0GrcyjDmEuKsdYIRDmtS3VxEv8cQVVd3zIUvbS3DHc+B4vyXo cRkUwdouQ5SGDdAbKBfD3GVJ6130A5EyfrQbsEnqv2mn7sfxaLU= =utEX -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of node-tmp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1110532@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <bunk@debian.org> (supplier of updated node-tmp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 17 Aug 2025 19:42:55 +0300 Source: node-tmp Architecture: source Version: 0.2.2+dfsg+~0.2.3-1.1~deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 1110532 Changes: node-tmp (0.2.2+dfsg+~0.2.3-1.1~deb12u1) bookworm; urgency=medium . * Non-maintainer upload. * Rebuild for bookworm. . node-tmp (0.2.2+dfsg+~0.2.3-1.1) unstable; urgency=medium . * Non-maintainer upload. * CVE-2025-54798: Arbitrary file write (Closes: #1110532) Checksums-Sha1: e1fc22ab7974f3e4caa113391e14b4345146e357 2446 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.dsc 04a0a38e3e66412e2d2597779a0741c0f9b5586f 3340 node-tmp_0.2.2+dfsg+~0.2.3.orig-types-tmp.tar.xz cbd39100731b4ee9f6b87f9666f41cbb681e3c7a 56028 node-tmp_0.2.2+dfsg+~0.2.3.orig.tar.xz d4dd42fc93693a1eab66aeb2159e06ef09f84763 9044 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.debian.tar.xz Checksums-Sha256: f843ca46b246aa1dacc28c29cd91b45f96ce9d04e6f0b31e585d5289411d60ec 2446 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.dsc d5da11cfa81344a4021c3f135bdeb8c54f3c20ea83fda511e310f8e7c00a3c56 3340 node-tmp_0.2.2+dfsg+~0.2.3.orig-types-tmp.tar.xz 713ad9829bdd33288fd8029e24395a2d6855ae9847a120ba45c255724a33218d 56028 node-tmp_0.2.2+dfsg+~0.2.3.orig.tar.xz 7fe4ba5623d8a8583d148a3f17b2790ed1910ea480e94f671492fc683ca1060c 9044 node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.debian.tar.xz Files: 092546bc2200c9b65eb71e56586489ba 2446 javascript optional node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.dsc 53f19c1dd5fda7ee030a090e2b3b85ac 3340 javascript optional node-tmp_0.2.2+dfsg+~0.2.3.orig-types-tmp.tar.xz 93d9fcd9746709e5f674b05baa767e9c 56028 javascript optional node-tmp_0.2.2+dfsg+~0.2.3.orig.tar.xz 6958a5f3e63e36bc5806ffcf57becdd3 9044 javascript optional node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiiUr0ACgkQiNJCh6LY mLGJaw/8DY6o3ZroLNSs9nNL4e7KtrdptrvdCY9J/bCTztNwr9pH1AtvKmbT/aLr QG8GSXjyJS/B+X2r/aE6bwac56U61idHpVHzDTrgO6vOMKb5ctEul+761DlB0ts3 mcXRhmW/ircatXumhvlP645YIPQ6r+vzit620axwDc3JnP0NX6Sa7BbxChZV6uQt ewORPeFiRGjJUHbuciYxh19J/zHkCHr4OBnOxTRP/eBQkE7GRC7Wqxuoyq5zN8eV QhU7G8u87BrAqK0abOFxSPhO4mGUirOoeg4VJ+vaLAQI9Xsv7VkOuniFPX0eLDOG NPuCWOrleILFakisJi9iOH9qY9onXegV7BrhLoLNSjNyi9tHLH43GD8FFmbNCq+f eQ1SWI3TQ3+OQ5ZeB639AWruTVJ0gdfEJEScmkzRQDZCrh9ckgfvPxyRbkFvcBsb R1MJhWWbqLJ/t0mU4L5DNSNApVPubZapKriqPUwWllnHb2m1s1OzS+k9BFkyIXPw UKkmEPzR10VCIG0V2Asg9ktkZtm2wrAi6t6pSr8SpXsyjaBAQIEyY48pD+puYcxA vwjt96dXcD5qIRa4sdrwqDwCRJbxPLDRCE35KNdtXtXlkG+8Iz+Jo8Lmm1osb6os pbkVdOTNwe2nksuOJlGyIkOU3Qj60wDwLJxZoN/cwMgVvRhCH4U= =NbDY -----END PGP SIGNATURE-----