Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616638 (CVE-2016-10345) - <www-apache/passenger-5.1.2: File overwrite vulnerability in passenger-install-nginx-module
Summary: <www-apache/passenger-5.1.2: File overwrite vulnerability in passenger-instal...
Status: RESOLVED FIXED
Alias: CVE-2016-10345
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-26 08:03 UTC by Agostino Sarubbo
Modified: 2017-04-30 12:12 UTC (History)
2 users (show)

See Also:
Package list:
www-apache/passenger-5.1.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-04-26 08:03:28 UTC
From ${URL} :

A file overwrite vulnerability was found in passenger caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could 
plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially 
even with chosen content.

Upstream patch:

https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441

External References:

https://blog.phusion.nl/2017/01/10/passenger-5-1-1/


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Hans de Graaff gentoo-dev 2017-04-27 05:44:21 UTC
We can stable the latest version, passenger 5.1.2, now.
Comment 2 Agostino Sarubbo gentoo-dev 2017-04-27 10:15:00 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-27 10:44:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 01:35:29 UTC
Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 5 Hans de Graaff gentoo-dev 2017-04-30 08:42:38 UTC
(In reply to Yury German from comment #4)

> Maintainer(s), please drop the vulnerable version(s).

Done.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 12:12:33 UTC
Thank you all for you work. 
Closing as [noglsa].