Date: Tue, 16 Jul 2013 11:38:41 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Raphael Geissert <geissert@...ian.org> Subject: Re: Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/15/2013 08:37 AM, Raphael Geissert wrote: > Hi again, > > On 10 June 2013 16:54, Raphael Geissert <geissert@...ian.org> > wrote: >> While looking at CVE-2013-2119 I noticed that Phusion Passenger >> 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to >> create directories in /tmp (e.g. /tmp/phusion.$$) for use by the >> application and web server. A local user could create the >> directories and have write access to directories, and possibly >> files used by the application. I haven't confirmed, but I guess >> this would allow some sort of privilege escalation to the user >> executing the application or at least access to otherwise >> restricted data. >> >> Additionally, some of the subdirectories might be chown(2)ed to >> a different user even if the directory already existed (it chowns >> iff mkdir(1) returns 0). Not sure if it could have an impact, >> however. > > After talking to upstream, the above issue with the temp directory > has been fixed in 4.0.6 (release withdrawn and replaced by 4.0.7 > due to a regression), and a regression fixed in 4.0.8. The issue > was tracked as #910. > > Could a CVE id be assigned then? > > It allows a local user to DoS the service or to take over its > traffic. > > http://blog.phusion.nl/2013/07/04/phusion-passenger-4-0-6-released/ > > Bug fix: https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b > http://blog.phusion.nl/2013/07/09/phusion-passenger-4-0-8-released/ > > Regression fix: > https://github.com/phusion/passenger/commit/9dda49f4a3ebe9bafc48da1bd45799f30ce19566 > > https://code.google.com/p/phusion-passenger/issues/detail?id=910 > > Cheers, -- Raphael Geissert - Debian Developer www.debian.org - > get.debian.net > Please use CVE-2013-4136 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR5YUhAAoJEBYNRVNeJnmT0xUQANA2upj/XcARdB6ZslRZfyiR sC0I4khYvEt8wZMG6FTgb3f0vN7tPZoxcZt5O2mxxUyWYc/4iVueiB6a77Qx7lth wJ98fdLRb7UUJK5N3JHPIQm1BuvE83svUTuodDnnesrcMTJA/iFHZ59wAK7MXPn/ mpVHGbNhfdvNxwL7k4CcuNXng/4xm7Pg9dCngNd4uSvmbUKQCbENtnIePUPs6Lwx dnia4pKaDfRFZ+WeK8OYT4sRxnf4rImbwV6kwF3+SvxpsdyA8P0XOx0+Lx8pNnHL AwBTZxNmDehbUJ8vuKMGbPsCwsjQKudoJFk+BmGPF5nC1aVbHKHPi5fL5ydzf0nm GJ9yMHTOAIuFApzh3j0kCX/K7Jfwynr3y3xI8hLzaf2rjR/nc1jzn/Si24zZG6Z9 GvSwL2EOHNtzxXXkQF4JZARS3n+B73K4w7hdiX58ZGim1q9551EEghSc/qBbiTGn svU+Z/Zz528mCv9AGHLK8C7y6BSDFJLrzLHuH6hx5AzVeM53Shb8oegcanObLAgj GkB5CMDgn6T5obdx0bPUwGXnABt76RjGJ0P9dvZ4/pWfAEibZGZYDunZ7YomQuzU qAljswBoUlMzngS3OrCpxB7gGf0AwcNnzo6yQTMvCKx4n9Ikjl1VeljD0SCVu1eW VES+Vjb20flunp4/qLpY =VvTG -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ