A file overwrite vulnerability was found in passenger caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially even with chosen content. Upstream patch: https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441 External References: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
Created passenger tracking bugs for this issue: Affects: epel-7 [bug 1445307] Affects: fedora-all [bug 1445308]
This issue does not affect passenger packages in RHSCL, Fedora, and EPEL, as they do not include the affected passenger-install-nginx-module script. The script is removed during the package build, see e.g.: http://pkgs.fedoraproject.org/cgit/rpms/passenger.git/tree/passenger.spec?h=f25&id=74773b8f#n223
Created ruby193-rubygem-passenger tracking bugs for this issue: Affects: openshift-1 [bug 1469883]
Created rubygem-passenger tracking bugs for this issue: Affects: openshift-1 [bug 1469884]