Impact
- if Alice uses
grunt data (or grunt release) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
- and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)
Patches
Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.
Workarounds
Specify the exact version of tzdata (like 2014d, full command being grunt data:2014d, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.
scovetta Analyst
Impact
grunt data(orgrunt release) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's websitePatches
Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.
Workarounds
Specify the exact version of tzdata (like
2014d, full command beinggrunt data:2014d, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.