Re: CVE Request: rubygem passenger security issue

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2013 09:46 AM, Marcus Meissner wrote:
> Hi,
>
> https://bugzilla.novell.com/show_bug.cgi?id=804722 
> https://github.com/FooBarWidget/passenger/commit/8c6693e0818772c345c979840d28312c2edd4ba4#commitcomment-2643541
>
>  Quoting:
>
> There is a security issue regarding passenger that has been fixed
> in master. However, this does only apply if you deploy arbitrary 
> untrusted apps on you server. Very unlikely for us but still I
> thought it was worth to inform you.
>
> It fixes a security issue, but unless you're on a shared
> environment it's not a grave issue. It allows an application
> process to delete an arbitrary file, even a file it does not have
> permi ssion to, but only during application startup (i.e. during
> evaluation of config.ru). Once the application is started, it
> cannot be exploited, so external visitors cannot influence this. If
>  you deploy arbitrary untrusted apps on your server then this issue
> can be a problem. If all your apps are trusted (e.g. because your
> organization wrote) them then there's no problem.

PaaS. Third party apps, etc. I'm gonna go with a yes. Just because you
deploy a poorly written/hostile app doesn't mean it should be able to
hose your system completely.

Please use CVE-2012-6135 for this issue.

> Unquote
>
> I am not sure this warrants a CVE.
>
> Ciao, Marcus


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMVJZAAoJEBYNRVNeJnmTTy0P/1L2D/jZW2Tfu3VHUCkZGIGj
F7tV0XRR0WM4U+ODOKXXbuaefxHfPk7jJbQH0nfSa01KXCE/RwO/Qm482w/3KeHD
LXASONIfc1IQnTOWFTA7wMToB2m/P4MWFJNmKeDZEbYxVshBpuzLsN6ZKQghntaG
ArHtHN1ul8A2ZD7o8aDHR7s9Jh5ml60MgFtzujUcX4eL25JdD6TLoMxywlob8WVo
YWKgmCGbYrpIsz7m1xbEtrKw2v/F1l91E24HXILa/FcpRr6Wn2VLnyMA58XR7rKR
JAh6dbSG58X9hlu2DMXWWvcFvVozmNoqQo23AXtRzdC/CIoau750Pw8g1PftDAk8
20CCM6yFwhFrRQZPvPa/VpD6mAzGfbdzWhGqI3og04SGyA3quKA5tmohenO3ouOB
ezQiM2fseYNxOh/ru1UTxh8FXOgeKs4kizj6BCdwoNrxOycMwA5Etm8XU4Lmrg1q
w9Wtwz9cZ0d/X76HNJhIY/+QeT+52AQZlDfNMxx2PZ9fL0Y8xJuD5Z+Ap1j/pSui
Rbt90I6eKEfbcTD7ATcyvFWZsTMdx6rUPTGihX9UEYhlYqV0rK8GLuJRr8x6/moE
DHApL7DNeGjoCHg96BfzegV+c0ps9V5tg6zeoey3bVMCU3pJDmf5psDtjC10kyVZ
vRLgujtWhoVcvsypttTe
=eLao
-----END PGP SIGNATURE-----