Bug 864352 (CVE-2014-1832) - VUL-0: CVE-2014-1832: rubygems-passenger: temporary file issue in Passenger rubygem
Summary: VUL-0: CVE-2014-1832: rubygems-passenger: temporary file issue in Passenger r...
Status: RESOLVED FIXED
Alias: CVE-2014-1832
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-02-25
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96237/
Whiteboard: maint:running:56274:important CVSSv2:...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-18 09:22 UTC by Victor Pereira
Modified: 2016-09-08 20:26 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-18 09:22:33 UTC 
CVE-2014-1832

If a local attacker can predict this filename, and precreates a
symlink with the same filename that points to an arbitrary directory
with mode 755, owner root and group root, then the attacker will
succeed in making Phusion Passenger write files and create
subdirectories inside that target directory.

patch: https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0

References:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-1832.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1832
Comment 1 Swamp Workflow Management 2014-02-18 12:45:30 UTC 
The SWAMPID for this issue is 56274.
This issue was rated as important.
Please submit fixed packages until 2014-02-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Swamp Workflow Management 2014-02-18 23:00:12 UTC 
bugbot adjusting priority
Comment 3 SMASH SMASH 2014-02-19 10:25:10 UTC 
Affected packages:

SLE-11-SP3: rubygem-passenger
SLE-11-SP2: rubygem-passenger
SLE-11-SP2-PRODUCTS: rubygem-passenger
Comment 4 Benjamin Brunner 2014-02-24 15:10:39 UTC 
Are there any updates? The due date for submission is tomorrow, Feb. 25th.

Thanks.
Comment 5 Stefan Schubert 2014-02-25 08:12:53 UTC 
(In reply to comment #3)
> Affected packages:
> 
> SLE-11-SP3: rubygem-passenger
> SLE-11-SP2: rubygem-passenger
> SLE-11-SP2-PRODUCTS: rubygem-passenger

Just a question. The call:
isc maintained rubygem-passenger

returns

SUSE:SLE-11-SP1:Update:ATK:1.2:Update:Test/rubygem-passenger
#<Project:0x00000006e7cc18>/rubygem-passenger
SUSE:SLE-11-SP2:Update:Test/rubygem-passenger

What about  SP3 and some projects are not displayed correctly. Could you please point me to needed projects ?
Comment 6 Stefan Schubert 2014-02-25 08:13:32 UTC 
(In reply to comment #4)
> Are there any updates? The due date for submission is tomorrow, Feb. 25th.
> 
> Thanks.

I start today cause I have been on vacation last week. :-)
Comment 7 Stefan Schubert 2014-02-25 08:29:02 UTC 
As far I see only versions of 4.0* are affected.:
https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0

This has been a fix for version 4.0.37 or 4.0.37:

https://github.com/phusion/passenger/commit/34b10878

which has been a fix for:

"Affected versions: 4.0.5 and later"

As long we have no package with version >=4.0 we do not need an update. 

Or is there any product with version 4.0.* which I have overseen ?
Comment 8 Stefan Schubert 2014-02-26 10:32:38 UTC 
set need info
Comment 10 Stefan Schubert 2014-02-28 11:23:28 UTC 
I have updated factory. So I think we can close it....