oss-sec mailing list archives
Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119)
From: vladz <vladz () devzero fr>
Date: Mon, 10 Jun 2013 20:30:48 +0200
Hi, On Mon, Jun 10, 2013 at 04:54:21PM +0200, Raphael Geissert wrote:
While looking at CVE-2013-2119 I noticed that Phusion Passenger 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to create directories in /tmp (e.g. /tmp/phusion.$$) for use by the application and web server.
I think you meant makeDirTree() for the function name and not
makeDirTemp(), am I correct?
I don't know much about the tool but snipped the code around the mkdir()
function for other people to see:
$ cat -n ruby-passenger-3.0.13debian/ext/common/Utils.cpp
[...]
486 do {
487 ret = mkdir(current.c_str(), modeBits);
488 } while (ret == -1 && errno == EINTR);
489 if (ret == -1) {
490 if (errno == EEXIST) {
491 // Ignore error and don't chmod/chown.
492 continue;
493 } else {
494 int e = errno;
495 throw FileSystemException("Cannot create directory '" + current + "'",
496 e, current);
497 }
498 }
Does anyone know enough about phusion passenger to know what the impact could be? (and depending on that, assigning CVE id(s))
I don't see any problem here. The mkdir() return code appears to be checked correctly and chmod/chown ignored if directory was previously created. Cheers.
Current thread:
- Insecure temp files usage in phusion passenger (other than CVE-2013-2119) Raphael Geissert (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) vladz (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) Larry W. Cashdollar (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) vladz (Jun 10)