[DRE-maint] Bug#736958: [oss-security] Re: CVE request: temporary file issue in Passenger rubygem

Mon Feb 3 13:59:48 UTC 2014

On Thu, 30 Jan 2014 09:26:33 -0500 (EST) cve-assign at mitre.org wrote:

> > If a local attacker can predict this filename, and precreates a
> > symlink with the same filename that points to an arbitrary directory
> > with mode 755, owner root and group root, then the attacker will
> > succeed in making Phusion Passenger write files and create
> > subdirectories inside that target directory.
> > 
> > It is fixed in upstream version 4.0.33.
> > 
> > https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744

...

> Use CVE-2014-1831 for the vulnerability with the "before 4.0.33"
> affected versions.
> 
> Use CVE-2014-1832 for the vulnerability with the "4.0.33 and earlier"
> affected versions.

Note that while the original CVE request mentions version 4.0.33, that
seems like a typo as upstream NEWS file indicates: Fixed versions:
4.0.37.  Consequently, the above should be "before 4.0.37" and "4.0.37
and earlier" (or "before 4.0.38").

-- 
Tomas Hoger / Red Hat Security Response Team