Bug 1445306 (CVE-2016-10345) - CVE-2016-10345 passenger: File overwrite vulnerability in passenger-install-nginx-module
Summary: CVE-2016-10345 passenger: File overwrite vulnerability in passenger-install-n...
Alias: CVE-2016-10345
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1445307 1445308 1469883 1469884 1469886 1469887 1469892
Blocks: 1445310
TreeView+ depends on / blocked
Reported: 2017-04-25 13:11 UTC by Andrej Nemec
Modified: 2021-02-17 02:13 UTC (History)
36 users (show)

Fixed In Version: rubygem-passenger 5.1.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-08-17 06:35:57 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2017-04-25 13:11:42 UTC
A file overwrite vulnerability was found in passenger caused by a predictable temporary file being written by passenger-install-nginx-module. With access to the system, a user could plant a symlink in /tmp that resulted in a chosen-file overwrite attempt whenever passenger-install-nginx-module was run, using the access rights of the executing user, potentially even with chosen content.

Upstream patch:


External References:


Comment 1 Andrej Nemec 2017-04-25 13:12:40 UTC
Created passenger tracking bugs for this issue:

Affects: epel-7 [bug 1445307]
Affects: fedora-all [bug 1445308]

Comment 2 Tomas Hoger 2017-04-27 18:23:50 UTC
This issue does not affect passenger packages in RHSCL, Fedora, and EPEL, as they do not include the affected passenger-install-nginx-module script. The script is removed during the package build, see e.g.:


Comment 3 Kurt Seifried 2017-07-12 03:36:27 UTC
Created ruby193-rubygem-passenger tracking bugs for this issue:

Affects: openshift-1 [bug 1469883]

Comment 4 Kurt Seifried 2017-07-12 03:37:06 UTC
Created rubygem-passenger tracking bugs for this issue:

Affects: openshift-1 [bug 1469884]

Note You need to log in before you can comment on or make changes to this bug.