Bug 828005 (CVE-2013-2119) - VUL-1: CVE-2013-2119: rubygem-passenger: incorrect temporary file usage
Summary: VUL-1: CVE-2013-2119: rubygem-passenger: incorrect temporary file usage
Status: RESOLVED FIXED
Alias: CVE-2013-2119
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Deadline: 2014-08-20
Assignee: Victor Pereira
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp2:58406
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-03 15:25 UTC by Marcus Meissner
Modified: 2019-07-24 13:43 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-03 15:25:39 UTC 
is public, via rh bugzilla

https://bugzilla.redhat.com/show_bug.cgi?id=892813

Michael Scherer reported that the passenger ruby gem, when used in standalone mode, does not use temporary files in a secure manner.  In the lib/phusion_passenger/standalone/main.rb's create_nginx_controller function, passenger creates an nginx configuration file insecurely and starts nginx with that configuration file:

       @temp_dir        = "/tmp/passenger-standalone.#{$$}"
       @config_filename = "#{@temp_dir}/config"

If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start an nginx instance with their own configuration file.  This could result in a denial of service condition for a legitimate service or, if passenger were executed as root (in order to have nginx listen on port 80, for instance), this could lead to a local root compromise.
Comment 2 Marcus Meissner 2013-07-03 15:26:32 UTC 
Hongli Lai 2013-05-29 15:58:56 EDT:

For the 3.0 series, 0eaebb00 is not complete. You also need 56d9d39f.
Comment 3 Marcus Meissner 2013-07-03 15:26:49 UTC 
Schubi, do we deploy it in that kind of way?
Comment 4 Swamp Workflow Management 2013-07-03 22:00:24 UTC 
bugbot adjusting priority
Comment 11 SMASH SMASH 2014-07-23 07:45:27 UTC 
Affected packages:

SLE-11-SP2: rubygem-passenger
SLE-11-SP2-PRODUCTS: rubygem-passenger
Comment 13 Swamp Workflow Management 2014-07-23 08:51:37 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-08-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58405
Comment 14 SMASH SMASH 2014-07-23 08:55:24 UTC 
Affected packages:

SLE-11-SP2: rubygem-passenger
SLE-11-SP2-PRODUCTS: rubygem-passenger
Comment 15 Sebastian Krahmer 2014-10-07 13:05:22 UTC 
released
Comment 16 Swamp Workflow Management 2014-10-07 21:04:56 UTC 
SUSE-SU-2014:1272-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 828005
CVE References: CVE-2013-2119
Sources used:
WebYaST 1.3 (src):    rubygem-passenger-3.0.14-0.11.1
SUSE Studio Onsite 1.3 (src):    rubygem-passenger-3.0.14-0.11.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-passenger-3.0.14-0.11.1
Comment 18 Andreas Stieger 2016-01-07 09:35:15 UTC 
Releasing for SLE-SLMS_1.3, SLE-STUDIOONSITE_1.3, SLE-WEBYAST_1.3
Comment 19 Swamp Workflow Management 2016-01-07 13:15:39 UTC 
SUSE-SU-2016:0042-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 828005,919726,956281
CVE References: CVE-2013-2119,CVE-2013-4136,CVE-2015-7519
Sources used:
SUSE Webyast 1.3 (src):    rubygem-passenger-3.0.14-0.14.1
SUSE Studio Onsite 1.3 (src):    rubygem-passenger-3.0.14-0.14.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-passenger-3.0.14-0.14.1
Comment 20 Marcus Meissner 2019-07-24 13:43:53 UTC 
.