Date: Fri, 01 Mar 2013 18:14:01 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Marcus Meissner <meissner@...e.de> Subject: Re: CVE Request: rubygem passenger security issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/01/2013 09:46 AM, Marcus Meissner wrote: > Hi, > > https://bugzilla.novell.com/show_bug.cgi?id=804722 > https://github.com/FooBarWidget/passenger/commit/8c6693e0818772c345c979840d28312c2edd4ba4#commitcomment-2643541 > > Quoting: > > There is a security issue regarding passenger that has been fixed > in master. However, this does only apply if you deploy arbitrary > untrusted apps on you server. Very unlikely for us but still I > thought it was worth to inform you. > > It fixes a security issue, but unless you're on a shared > environment it's not a grave issue. It allows an application > process to delete an arbitrary file, even a file it does not have > permi ssion to, but only during application startup (i.e. during > evaluation of config.ru). Once the application is started, it > cannot be exploited, so external visitors cannot influence this. If > you deploy arbitrary untrusted apps on your server then this issue > can be a problem. If all your apps are trusted (e.g. because your > organization wrote) them then there's no problem. PaaS. Third party apps, etc. I'm gonna go with a yes. Just because you deploy a poorly written/hostile app doesn't mean it should be able to hose your system completely. Please use CVE-2012-6135 for this issue. > Unquote > > I am not sure this warrants a CVE. > > Ciao, Marcus > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRMVJZAAoJEBYNRVNeJnmTTy0P/1L2D/jZW2Tfu3VHUCkZGIGj F7tV0XRR0WM4U+ODOKXXbuaefxHfPk7jJbQH0nfSa01KXCE/RwO/Qm482w/3KeHD LXASONIfc1IQnTOWFTA7wMToB2m/P4MWFJNmKeDZEbYxVshBpuzLsN6ZKQghntaG ArHtHN1ul8A2ZD7o8aDHR7s9Jh5ml60MgFtzujUcX4eL25JdD6TLoMxywlob8WVo YWKgmCGbYrpIsz7m1xbEtrKw2v/F1l91E24HXILa/FcpRr6Wn2VLnyMA58XR7rKR JAh6dbSG58X9hlu2DMXWWvcFvVozmNoqQo23AXtRzdC/CIoau750Pw8g1PftDAk8 20CCM6yFwhFrRQZPvPa/VpD6mAzGfbdzWhGqI3og04SGyA3quKA5tmohenO3ouOB ezQiM2fseYNxOh/ru1UTxh8FXOgeKs4kizj6BCdwoNrxOycMwA5Etm8XU4Lmrg1q w9Wtwz9cZ0d/X76HNJhIY/+QeT+52AQZlDfNMxx2PZ9fL0Y8xJuD5Z+Ap1j/pSui Rbt90I6eKEfbcTD7ATcyvFWZsTMdx6rUPTGihX9UEYhlYqV0rK8GLuJRr8x6/moE DHApL7DNeGjoCHg96BfzegV+c0ps9V5tg6zeoey3bVMCU3pJDmf5psDtjC10kyVZ vRLgujtWhoVcvsypttTe =eLao -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ