An arbitrary file read vulnerability was found in passenger. It allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability. External References: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
Created passenger tracking bugs for this issue: Affects: epel-7 [bug 1513379] Affects: fedora-all [bug 1513378] Created ruby193-rubygem-passenger tracking bugs for this issue: Affects: openshift-1 [bug 1513380] Created rubygem-passenger tracking bugs for this issue: Affects: openshift-1 [bug 1513381]
References: http://seclists.org/oss-sec/2017/q4/292
Upstream commit: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf As part of the oss-sec discussion, it was pointed out that the part of the patch that removes inferApplicationInfo() function implementation is not not correct as the #ifdef condition actually uses defined macro. However, as the function is no longer called from the prepareSpawn(), the security issue is resolved. http://seclists.org/oss-sec/2017/q4/294 In Passenger 4, the relevant code can be found in ext/common/ApplicationPool2/Spawner.h .
In the cpanel updates, this issue is described as: SEC-312: Stop reading the 'REVISION' file. This addresses an arbitrary file read vulnerability in passenger. If there is file name REVISION found in the application root directory, its content is read (with root privileges) and it's content is later exposed via passenger-status output. Hence a symlink attack can be used to read files accessible to the Passenger process (running as root, but possibly restricted by SELinux).
CVE-2017-1000384 is a reservation duplicate of CVE-2017-16355
(In reply to Sam Fowler from comment #7) > CVE-2017-1000384 is a reservation duplicate of CVE-2017-16355 I can't find any reference to explain where/why this duplication occurred. Maybe upstream had the CVE-2017-16355 assigned when the issues was fixed and updates released, but did not make it public at the time - just like they did not provide detailed flaw description - and someone else requested the other CVE. The upstream advisory linked in comment 0 was updated since to note CVE-2017-16355 and also provide issue details, matching the analysis noted above.