oss-sec mailing list archives

Re: phusion passenger CVE-2017-1000384

From: John Lightsey <jd () cpanel net>
Date: Fri, 17 Nov 2017 14:58:43 -0600

On 11/17/17 2:15 PM, Kurt Seifried wrote:

Assigned CVE-2017-1000384 to
https://github.com/phusion/passenger/commit/a63f1e9cd8148dfaac08b00d74ef2b59bc2c9dd4

https://bugs.gentoo.org/634452

Please note: you have to have Phusion Passenger in a dir not owned by root,
and then run it as root (hint: that's never a good idea with anything).


The commit for the arbitrary file read vulnerability mentioned in the
Gentoo bug report is actually this one:

https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf

I'm not sure if the other commit was fixing an actual flaw or just
intended as hardening.

Passenger switches IDs to the user that's supposed to run the passenger
application. The problem we reported was that some of the application
data was read and stored before the ID switching took place.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

phusion passenger CVE-2017-1000384 Kurt Seifried (Nov 17)
- Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 17)
  - Re: phusion passenger CVE-2017-1000384 Jakub Wilk (Nov 17)
    - Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 17)
    - Re: phusion passenger CVE-2017-1000384 Dave Horsfall (Nov 17)
  - Re: phusion passenger CVE-2017-1000384 Tomas Hoger (Nov 21)
    - Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 21)