Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 892813 (CVE-2013-2119) - CVE-2013-2119 rubygem-passenger: incorrect temporary file usage
Summary: CVE-2013-2119 rubygem-passenger: incorrect temporary file usage
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 968923 968930
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-07 22:05 UTC by Vincent Danen
Modified: 2023-05-12 22:48 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-07 05:11:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1136 0 normal SHIPPED_LIVE Moderate: rubygem-passenger security update 2013-08-05 19:51:26 UTC

Description Vincent Danen 2013-01-07 22:05:05 UTC 
Michael Scherer reported that the passenger ruby gem, when used in standalone mode, does not use temporary files in a secure manner.  In the lib/phusion_passenger/standalone/main.rb's create_nginx_controller function, passenger creates an nginx configuration file insecurely and starts nginx with that configuration file:

       @temp_dir        = "/tmp/passenger-standalone.#{$$}"
       @config_filename = "#{@temp_dir}/config"

If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start an nginx instance with their own configuration file.  This could result in a denial of service condition for a legitimate service or, if passenger were executed as root (in order to have nginx listen on port 80, for instance), this could lead to a local root compromise.
Comment 1 Kurt Seifried 2013-05-25 07:26:28 UTC 
I have confirmed this is present in the passenger rubygem 4.0.3 (released May 24, 2013) as well 3.0.17 (the version Fedora 18 ships).
Comment 3 Kurt Seifried 2013-05-29 18:46:57 UTC 
This is now public and fixed in 3.0.21 and 4.0.5:

http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/
http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/

The source code fixes are available at:

4.0 series:
https://github.com/FooBarWidget/passenger/commit/bfe619eec3a337b4868b9928dc273e70a4a96f37

3.0 series
https://github.com/FooBarWidget/passenger/commit/0eaebb00f6b7327374069a7998064c68cc54e9f1
Comment 4 Hongli Lai 2013-05-29 19:58:56 UTC 
For the 3.0 series, 0eaebb00 is not complete. You also need 56d9d39f.
Comment 5 Jan Lieskovsky 2013-05-30 09:46:38 UTC 
This issue affects the versions of the rubygem-passenger package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update.
Comment 6 Jan Lieskovsky 2013-05-30 09:47:52 UTC 
Created rubygem-passenger tracking bugs for this issue

Affects: epel-6 [bug 968923]
Comment 7 Jan Lieskovsky 2013-05-30 10:03:00 UTC 
Created rubygem-passenger tracking bugs for this issue

Affects: fedora-all [bug 968930]
Comment 8 Murray McAllister 2013-07-31 03:10:44 UTC 
Acknowledgements:

This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
Comment 9 errata-xmlrpc 2013-08-05 15:53:39 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 1.2

Via RHSA-2013:1136 https://rhn.redhat.com/errata/RHSA-2013-1136.html
Note You need to log in before you can comment on or make changes to this bug.