616638 – (CVE-2016-10345) <www-apache/passenger-5.1.2: File overwrite vulnerability in passenger-install-nginx-module

Bug 616638 (CVE-2016-10345) - <www-apache/passenger-5.1.2: File overwrite vulnerability in passenger-install-nginx-module

Summary: <www-apache/passenger-5.1.2: File overwrite vulnerability in passenger-instal...

Status:	RESOLVED FIXED

Alias:	CVE-2016-10345

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-04-26 08:03 UTC by Agostino Sarubbo
Modified:	2017-04-30 12:12 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	www-apache/passenger-5.1.2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-04-26 08:03:28 UTC

From ${URL} :

A file overwrite vulnerability was found in passenger caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could 
plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially 
even with chosen content.

Upstream patch:

https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441

External References:

https://blog.phusion.nl/2017/01/10/passenger-5-1-1/


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.

Comment 1 Hans de Graaff gentoo-dev

2017-04-27 05:44:21 UTC

We can stable the latest version, passenger 5.1.2, now.

Comment 2 Agostino Sarubbo gentoo-dev

2017-04-27 10:15:00 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2017-04-27 10:44:02 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 4 Yury German Gentoo Infrastructure

2017-04-28 01:35:29 UTC

Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 5 Hans de Graaff gentoo-dev

2017-04-30 08:42:38 UTC

(In reply to Yury German from comment #4)

> Maintainer(s), please drop the vulnerable version(s).

Done.

Comment 6 Yury German Gentoo Infrastructure

2017-04-30 12:12:33 UTC

Thank you all for you work. 
Closing as [noglsa].