CVE-2013-2119
First published: Mon Jan 07 2013(Updated: )
Michael Scherer reported that the passenger ruby gem, when used in standalone mode, does not use temporary files in a secure manner. In the lib/phusion_passenger/standalone/main.rb's create_nginx_controller function, passenger creates an nginx configuration file insecurely and starts nginx with that configuration file: @temp_dir = "/tmp/passenger-standalone.#{$$}" @config_filename = "#{@temp_dir}/config" If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start an nginx instance with their own configuration file. This could result in a denial of service condition for a legitimate service or, if passenger were executed as root (in order to have nginx listen on port 80, for instance), this could lead to a local root compromise.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Phusion Passenger | <=3.0.20 | |
| Phusion Passenger | =3.0.0 | |
| Phusion Passenger | =3.0.1 | |
| Phusion Passenger | =3.0.2 | |
| Phusion Passenger | =3.0.3 | |
| Phusion Passenger | =3.0.4 | |
| Phusion Passenger | =3.0.5 | |
| Phusion Passenger | =3.0.6 | |
| Phusion Passenger | =3.0.7 | |
| Phusion Passenger | =3.0.8 | |
| Phusion Passenger | =3.0.9 | |
| Phusion Passenger | =3.0.10 | |
| Phusion Passenger | =3.0.11 | |
| Phusion Passenger | =3.0.12 | |
| Phusion Passenger | =3.0.13 | |
| Phusion Passenger | =3.0.14 | |
| Phusion Passenger | =3.0.15 | |
| Phusion Passenger | =3.0.17 | |
| Phusion Passenger | =3.0.18 | |
| Phusion Passenger | =3.0.19 | |
| Phusion Passenger | =4.0.1 | |
| Phusion Passenger | =4.0.2 | |
| Phusion Passenger | =4.0.3 | |
| Phusion Passenger | =4.0.4 | |
| Ruby-lang Ruby | ||
| Redhat Openshift | =1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/
- http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/
- https://github.com/FooBarWidget/passenger/commit/bfe619eec3a337b4868b9928dc273e70a4a96f37
- https://github.com/FooBarWidget/passenger/commit/0eaebb00f6b7327374069a7998064c68cc54e9f1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=968923
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=968930
- https://rhn.redhat.com/errata/RHSA-2013-1136.html
- https://bugzilla.redhat.com/show_bug.cgi?id=892813
- http://rhn.redhat.com/errata/RHSA-2013-1136.html
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-2119
- vendor/phusion
- canonical/phusion passenger
- version/phusion passenger/3.0.20
- version/phusion passenger/3.0.0
- version/phusion passenger/3.0.1
- version/phusion passenger/3.0.2
- version/phusion passenger/3.0.3
- version/phusion passenger/3.0.4
- version/phusion passenger/3.0.5
- version/phusion passenger/3.0.6
- version/phusion passenger/3.0.7
- version/phusion passenger/3.0.8
- version/phusion passenger/3.0.9
- version/phusion passenger/3.0.10
- version/phusion passenger/3.0.11
- version/phusion passenger/3.0.12
- version/phusion passenger/3.0.13
- version/phusion passenger/3.0.14
- version/phusion passenger/3.0.15
- version/phusion passenger/3.0.17
- version/phusion passenger/3.0.18
- version/phusion passenger/3.0.19
- version/phusion passenger/4.0.1
- version/phusion passenger/4.0.2
- version/phusion passenger/4.0.3
- version/phusion passenger/4.0.4
- vendor/ruby-lang
- canonical/ruby-lang ruby
- vendor/redhat
- canonical/redhat openshift
- version/redhat openshift/1.0