Bug 1445306 (CVE-2016-10345)

Summary: CVE-2016-10345 passenger: File overwrite vulnerability in passenger-install-nginx-module
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, apevec, bkearney, bperkins, brett.lentz, cbillett, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, hhorak, jgoulding, jjoyce, jkaluza, jmatthew, joelsmith, jorton, jschluet, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, sclewis, sisharma, srevivo, tdawson, tdecacqu, tiwillia, tlestach, tsanders, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-passenger 5.1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-17 06:35:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1445307, 1445308, 1469883, 1469884, 1469886, 1469887, 1469892    
Bug Blocks: 1445310    

Description Andrej Nemec 2017-04-25 13:11:42 UTC 
A file overwrite vulnerability was found in passenger caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially even with chosen content.

Upstream patch:

https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441

External References:

https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
Comment 1 Andrej Nemec 2017-04-25 13:12:40 UTC 
Created passenger tracking bugs for this issue:

Affects: epel-7 [bug 1445307]
Affects: fedora-all [bug 1445308]
Comment 2 Tomas Hoger 2017-04-27 18:23:50 UTC 
This issue does not affect passenger packages in RHSCL, Fedora, and EPEL, as they do not include the affected passenger-install-nginx-module script. The script is removed during the package build, see e.g.:

http://pkgs.fedoraproject.org/cgit/rpms/passenger.git/tree/passenger.spec?h=f25&id=74773b8f#n223
Comment 3 Kurt Seifried 2017-07-12 03:36:27 UTC 
Created ruby193-rubygem-passenger tracking bugs for this issue:

Affects: openshift-1 [bug 1469883]
Comment 4 Kurt Seifried 2017-07-12 03:37:06 UTC 
Created rubygem-passenger tracking bugs for this issue:

Affects: openshift-1 [bug 1469884]