Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Nov 2017 14:58:43 -0600
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com
Subject: Re: phusion passenger CVE-2017-1000384

On 11/17/17 2:15 PM, Kurt Seifried wrote:
> Assigned CVE-2017-1000384 to
> https://github.com/phusion/passenger/commit/a63f1e9cd8148dfaac08b00d74ef2b59bc2c9dd4
> 
> https://bugs.gentoo.org/634452
> 
> Please note: you have to have Phusion Passenger in a dir not owned by root,
> and then run it as root (hint: that's never a good idea with anything).
> 

The commit for the arbitrary file read vulnerability mentioned in the
Gentoo bug report is actually this one:

https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf

I'm not sure if the other commit was fixing an actual flaw or just
intended as hardening.

Passenger switches IDs to the user that's supposed to run the passenger
application. The problem we reported was that some of the application
data was read and stored before the ID switching took place.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.