oss-sec mailing list archives
Re: phusion passenger CVE-2017-1000384
From: John Lightsey <jd () cpanel net>
Date: Fri, 17 Nov 2017 14:58:43 -0600
On 11/17/17 2:15 PM, Kurt Seifried wrote:
Assigned CVE-2017-1000384 to https://github.com/phusion/passenger/commit/a63f1e9cd8148dfaac08b00d74ef2b59bc2c9dd4 https://bugs.gentoo.org/634452 Please note: you have to have Phusion Passenger in a dir not owned by root, and then run it as root (hint: that's never a good idea with anything).
The commit for the arbitrary file read vulnerability mentioned in the Gentoo bug report is actually this one: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf I'm not sure if the other commit was fixing an actual flaw or just intended as hardening. Passenger switches IDs to the user that's supposed to run the passenger application. The problem we reported was that some of the application data was read and stored before the ID switching took place.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- phusion passenger CVE-2017-1000384 Kurt Seifried (Nov 17)
- Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 17)
- Re: phusion passenger CVE-2017-1000384 Jakub Wilk (Nov 17)
- Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 17)
- Re: phusion passenger CVE-2017-1000384 Dave Horsfall (Nov 17)
- Re: phusion passenger CVE-2017-1000384 Tomas Hoger (Nov 21)
- Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 21)
- Re: phusion passenger CVE-2017-1000384 Jakub Wilk (Nov 17)
- Re: phusion passenger CVE-2017-1000384 John Lightsey (Nov 17)