oss-sec mailing list archives
Re: CVE request: temporary file issue in Passenger rubygem
From: Raphael Geissert <geissert () debian org>
Date: Wed, 29 Jan 2014 15:02:07 +0100
On 29 January 2014 09:57, Raphael Geissert <geissert () debian org> wrote: [...]
One thing to notice, however, is that there's a race condition between the stat check introduced in 34b1087870c2. The following sequence still triggers the bogus behaviour: <user> mkdir $dir <phusion> lstat() (getFileTypeNoFollowSymlinks) <user> rmdir $dir <user> ln -s /target $dir <phusion> stat() (from verifyDirectoryPermissions) ...
Upstream has now fixed this with the following commit (basically using the structure from lstat() for the two checks): https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: temporary file issue in Passenger rubygem Vincent Danen (Jan 28)
- Re: CVE request: temporary file issue in Passenger rubygem Raphael Geissert (Jan 29)
- Re: CVE request: temporary file issue in Passenger rubygem Raphael Geissert (Jan 29)
- Re: CVE request: temporary file issue in Passenger rubygem cve-assign (Jan 30)
- Re: Re: CVE request: temporary file issue in Passenger rubygem Tomas Hoger (Feb 03)
- Re: CVE request: temporary file issue in Passenger rubygem Raphael Geissert (Jan 29)