oss-sec mailing list archives
Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119)
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 10 Jun 2013 19:49:53 +0000 (GMT)
I think he is saying the directory can be hijacked if a malicious user creates the directory first they will retain read/write access to it. On Jun 10, 2013, at 11:30 AM, vladz <vladz () devzero fr> wrote:
Hi, On Mon, Jun 10, 2013 at 04:54:21PM +0200, Raphael Geissert wrote: > While looking at CVE-2013-2119 I noticed that Phusion Passenger > 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to create > directories in /tmp (e.g. /tmp/phusion.$$) for use by the application > and web server. I think you meant makeDirTree() for the function name and not makeDirTemp(), am I correct? I don't know much about the tool but snipped the code around the mkdir() function for other people to see: $ cat -n ruby-passenger-3.0.13debian/ext/common/Utils.cpp [...] 486 do { 487 ret = mkdir(current.c_str(), modeBits); 488 } while (ret == -1 && errno == EINTR); 489 if (ret == -1) { 490 if (errno == EEXIST) { 491 // Ignore error and don't chmod/chown. 492 continue; 493 } else { 494 int e = errno; 495 throw FileSystemException("Cannot create directory '" + current + "'", 496 e, current); 497 } 498 } > Does anyone know enough about phusion passenger to know what the > impact could be? > (and depending on that, assigning CVE id(s)) I don't see any problem here. The mkdir() return code appears to be checked correctly and chmod/chown ignored if directory was previously created. Cheers.
Current thread:
- Insecure temp files usage in phusion passenger (other than CVE-2013-2119) Raphael Geissert (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) vladz (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) Larry W. Cashdollar (Jun 10)
- Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119) vladz (Jun 10)