Re: Re: Insecure temp files usage in phusion passenger (other than CVE-2013-2119)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/15/2013 08:37 AM, Raphael Geissert wrote:
> Hi again,
>
> On 10 June 2013 16:54, Raphael Geissert <geissert () debian org>
> wrote:
> > While looking at  CVE-2013-2119 I noticed that Phusion Passenger 
> > 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to
> > create directories in /tmp (e.g. /tmp/phusion.$$) for use by the
> > application and web server. A local user could create the
> > directories and have write access to directories, and possibly
> > files used by the application. I haven't confirmed, but I guess
> > this would allow some sort of privilege escalation to the user
> > executing the application or at least access to otherwise
> > restricted data.
> >
> > Additionally, some of the subdirectories might be chown(2)ed to
> > a different user even if the directory already existed (it chowns
> > iff mkdir(1) returns 0). Not sure if it could have an impact,
> > however.
>
> After talking to upstream, the above issue with the temp directory
> has been fixed in 4.0.6 (release withdrawn and replaced by 4.0.7
> due to a regression), and a regression fixed in 4.0.8[2]. The issue
> was tracked as #910[3].
>
> Could a CVE id be assigned then?
>
> It allows a local user to DoS the service or to take over its
> traffic.
>
> [1]http://blog.phusion.nl/2013/07/04/phusion-passenger-4-0-6-released/
Bug fix:
https://github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9b
> [2]http://blog.phusion.nl/2013/07/09/phusion-passenger-4-0-8-released/
Regression fix:
> https://github.com/phusion/passenger/commit/9dda49f4a3ebe9bafc48da1bd45799f30ce19566
[3]https://code.google.com/p/phusion-passenger/issues/detail?id=910
> Cheers, -- Raphael Geissert - Debian Developer www.debian.org -
> get.debian.net

Please use CVE-2013-4136 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR5YUhAAoJEBYNRVNeJnmT0xUQANA2upj/XcARdB6ZslRZfyiR
sC0I4khYvEt8wZMG6FTgb3f0vN7tPZoxcZt5O2mxxUyWYc/4iVueiB6a77Qx7lth
wJ98fdLRb7UUJK5N3JHPIQm1BuvE83svUTuodDnnesrcMTJA/iFHZ59wAK7MXPn/
mpVHGbNhfdvNxwL7k4CcuNXng/4xm7Pg9dCngNd4uSvmbUKQCbENtnIePUPs6Lwx
dnia4pKaDfRFZ+WeK8OYT4sRxnf4rImbwV6kwF3+SvxpsdyA8P0XOx0+Lx8pNnHL
AwBTZxNmDehbUJ8vuKMGbPsCwsjQKudoJFk+BmGPF5nC1aVbHKHPi5fL5ydzf0nm
GJ9yMHTOAIuFApzh3j0kCX/K7Jfwynr3y3xI8hLzaf2rjR/nc1jzn/Si24zZG6Z9
GvSwL2EOHNtzxXXkQF4JZARS3n+B73K4w7hdiX58ZGim1q9551EEghSc/qBbiTGn
svU+Z/Zz528mCv9AGHLK8C7y6BSDFJLrzLHuH6hx5AzVeM53Shb8oegcanObLAgj
GkB5CMDgn6T5obdx0bPUwGXnABt76RjGJ0P9dvZ4/pWfAEibZGZYDunZ7YomQuzU
qAljswBoUlMzngS3OrCpxB7gGf0AwcNnzo6yQTMvCKx4n9Ikjl1VeljD0SCVu1eW
VES+Vjb20flunp4/qLpY
=VvTG
-----END PGP SIGNATURE-----