Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119)

["Larry W. Cashdollar" <larry0 () me com>]

I think he is saying the directory can be hijacked if a malicious user creates the directory first they will retain 
read/write access to it.

On Jun 10, 2013, at 11:30 AM, vladz <vladz () devzero fr> wrote:

> Hi,
>
> On Mon, Jun 10, 2013 at 04:54:21PM +0200, Raphael Geissert wrote:
> > While looking at CVE-2013-2119 I noticed that Phusion Passenger
> > 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to create
> > directories in /tmp (e.g. /tmp/phusion.$$) for use by the application
> > and web server.
>
> I think you meant makeDirTree() for the function name and not
> makeDirTemp(), am I correct?
>
> I don't know much about the tool but snipped the code around the mkdir()
> function for other people to see:
>
> $ cat -n ruby-passenger-3.0.13debian/ext/common/Utils.cpp
> [...]
> 486 do {
> 487 ret = mkdir(current.c_str(), modeBits);
> 488 } while (ret == -1 && errno == EINTR);
> 489 if (ret == -1) {
> 490 if (errno == EEXIST) {
> 491 // Ignore error and don't chmod/chown.
> 492 continue;
> 493 } else {
> 494 int e = errno;
> 495 throw FileSystemException("Cannot create directory '" + current + "'",
> 496 e, current);
> 497 }
> 498 }
>
> > Does anyone know enough about phusion passenger to know what the
> > impact could be?
> > (and depending on that, assigning CVE id(s))
>
> I don't see any problem here. The mkdir() return code appears to be
> checked correctly and chmod/chown ignored if directory was previously
> created.
>
> Cheers.