Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: rubygem passenger security issue
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 01 Mar 2013 18:14:01 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2013 09:46 AM, Marcus Meissner wrote:
Hi,

https://bugzilla.novell.com/show_bug.cgi?id=804722 
https://github.com/FooBarWidget/passenger/commit/8c6693e0818772c345c979840d28312c2edd4ba4#commitcomment-2643541

 Quoting:

There is a security issue regarding passenger that has been fixed
in master. However, this does only apply if you deploy arbitrary 
untrusted apps on you server. Very unlikely for us but still I
thought it was worth to inform you.

It fixes a security issue, but unless you're on a shared
environment it's not a grave issue. It allows an application
process to delete an arbitrary file, even a file it does not have
permi ssion to, but only during application startup (i.e. during
evaluation of config.ru). Once the application is started, it
cannot be exploited, so external visitors cannot influence this. If
 you deploy arbitrary untrusted apps on your server then this issue
can be a problem. If all your apps are trusted (e.g. because your
organization wrote) them then there's no problem.

PaaS. Third party apps, etc. I'm gonna go with a yes. Just because you
deploy a poorly written/hostile app doesn't mean it should be able to
hose your system completely.

Please use CVE-2012-6135 for this issue.

Unquote

I am not sure this warrants a CVE.

Ciao, Marcus



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRMVJZAAoJEBYNRVNeJnmTTy0P/1L2D/jZW2Tfu3VHUCkZGIGj
F7tV0XRR0WM4U+ODOKXXbuaefxHfPk7jJbQH0nfSa01KXCE/RwO/Qm482w/3KeHD
LXASONIfc1IQnTOWFTA7wMToB2m/P4MWFJNmKeDZEbYxVshBpuzLsN6ZKQghntaG
ArHtHN1ul8A2ZD7o8aDHR7s9Jh5ml60MgFtzujUcX4eL25JdD6TLoMxywlob8WVo
YWKgmCGbYrpIsz7m1xbEtrKw2v/F1l91E24HXILa/FcpRr6Wn2VLnyMA58XR7rKR
JAh6dbSG58X9hlu2DMXWWvcFvVozmNoqQo23AXtRzdC/CIoau750Pw8g1PftDAk8
20CCM6yFwhFrRQZPvPa/VpD6mAzGfbdzWhGqI3og04SGyA3quKA5tmohenO3ouOB
ezQiM2fseYNxOh/ru1UTxh8FXOgeKs4kizj6BCdwoNrxOycMwA5Etm8XU4Lmrg1q
w9Wtwz9cZ0d/X76HNJhIY/+QeT+52AQZlDfNMxx2PZ9fL0Y8xJuD5Z+Ap1j/pSui
Rbt90I6eKEfbcTD7ATcyvFWZsTMdx6rUPTGihX9UEYhlYqV0rK8GLuJRr8x6/moE
DHApL7DNeGjoCHg96BfzegV+c0ps9V5tg6zeoey3bVMCU3pJDmf5psDtjC10kyVZ
vRLgujtWhoVcvsypttTe
=eLao
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault