Date: Wed, 29 Jan 2014 09:57:27 +0100 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Cc: "support@...sion.nl" <support@...sion.nl>, Jakub Wilk <jwilk@...ian.org> Subject: Re: CVE request: temporary file issue in Passenger rubygem Hi, On 29 January 2014 00:23, Vincent Danen <vdanen@...hat.com> wrote: > Phusion Passenger creates a "server instance directory" in /tmp during startup, > which is a temporary directory that Phusion Passenger uses to store working files. > This directory is deleted after Phusion Passenger exits. For various technical > reasons, this directory must have a semi-predictable filename. If a local attacker > can predict this filename, and precreates a symlink with the same filename that > points to an arbitrary directory with mode 755, owner root and group root, then > the attacker will succeed in making Phusion Passenger write files and create > subdirectories inside that target directory. Ah, nice catch Jakub. Needless to say, this is related to but different from CVE-2013-4136. One thing to notice, however, is that there's a race condition between the stat check introduced in 34b1087870c2. The following sequence still triggers the bogus behaviour: <user> mkdir $dir <phusion> lstat() (getFileTypeNoFollowSymlinks) <user> rmdir $dir <user> ln -s /target $dir <phusion> stat() (from verifyDirectoryPermissions) ... Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ