oss-sec mailing list archives
Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119)
From: vladz <vladz () devzero fr>
Date: Mon, 10 Jun 2013 20:30:48 +0200
Hi, On Mon, Jun 10, 2013 at 04:54:21PM +0200, Raphael Geissert wrote:
While looking at CVE-2013-2119 I noticed that Phusion Passenger 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to create directories in /tmp (e.g. /tmp/phusion.$$) for use by the application and web server.
I think you meant makeDirTree() for the function name and not makeDirTemp(), am I correct? I don't know much about the tool but snipped the code around the mkdir() function for other people to see: $ cat -n ruby-passenger-3.0.13debian/ext/common/Utils.cpp [...] 486 do { 487 ret = mkdir(current.c_str(), modeBits); 488 } while (ret == -1 && errno == EINTR); 489 if (ret == -1) { 490 if (errno == EEXIST) { 491 // Ignore error and don't chmod/chown. 492 continue; 493 } else { 494 int e = errno; 495 throw FileSystemException("Cannot create directory '" + current + "'", 496 e, current); 497 } 498 }
Does anyone know enough about phusion passenger to know what the impact could be? (and depending on that, assigning CVE id(s))
I don't see any problem here. The mkdir() return code appears to be checked correctly and chmod/chown ignored if directory was previously created. Cheers.
Current thread:
- Insecure temp files usage in phusion passenger (other than CVE-2013-2119) Raphael Geissert (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) vladz (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) Larry W. Cashdollar (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) vladz (Jun 10)