The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html | VDB Entry Third Party Advisory |
http://seclists.org/fulldisclosure/2019/Apr/38 | Mailing List Third Party Advisory |
https://github.com/RUB-NDS/Johnny-You-Are-Fired | Third Party Advisory |
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf | Third Party Advisory |
https://github.com/yarnpkg/website/commits/master | Third Party Advisory |
https://www.openwall.com/lists/oss-security/2019/04/30/4 | Mailing List Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-05-16T16:12:53
Updated: 2019-05-16T16:12:53
Reserved: 2018-06-18T00:00:00
Link: CVE-2018-12556
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-05-16T17:29:00.730
Modified: 2019-05-21T14:03:11.490
Link: CVE-2018-12556
JSON object: View
Redhat Information
No data.
CWE