Bug 1513377 (CVE-2017-16355) - CVE-2017-16355 passenger: arbitrary file read via REVISION symlink
Summary: CVE-2017-16355 passenger: arbitrary file read via REVISION symlink
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-16355
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1513379 1513378 1513380 1513381
Blocks: 1513383
TreeView+ depends on / blocked
 
Reported: 2017-11-15 10:14 UTC by Andrej Nemec
Modified: 2021-02-17 01:14 UTC (History)
22 users (show)

Fixed In Version: passenger 5.1.11
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-30 12:10:18 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-11-15 10:14:42 UTC 
An arbitrary file read vulnerability was found in passenger. It allows users to list the contents of arbitrary files on the system, if Passenger is running as root (this is usually the case when it is used in the Nginx or Apache integration mode, and not affected by the user_switching option). Users must also have write access to an application (hosted by Passenger) running on the system in order to exploit the vulnerability.

External References:

https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
Comment 1 Andrej Nemec 2017-11-15 10:15:19 UTC 
Created passenger tracking bugs for this issue:

Affects: epel-7 [bug 1513379]
Affects: fedora-all [bug 1513378]


Created ruby193-rubygem-passenger tracking bugs for this issue:

Affects: openshift-1 [bug 1513380]


Created rubygem-passenger tracking bugs for this issue:

Affects: openshift-1 [bug 1513381]
Comment 2 Andrej Nemec 2017-11-20 09:59:46 UTC 
References:

http://seclists.org/oss-sec/2017/q4/292
Comment 3 Tomas Hoger 2017-11-21 22:22:33 UTC 
Upstream commit:

https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf

As part of the oss-sec discussion, it was pointed out that the part of the patch that removes inferApplicationInfo() function implementation is not not correct as the #ifdef condition actually uses defined macro.  However, as the function is no longer called from the prepareSpawn(), the security issue is resolved.

http://seclists.org/oss-sec/2017/q4/294

In Passenger 4, the relevant code can be found in ext/common/ApplicationPool2/Spawner.h .
Comment 4 Tomas Hoger 2017-11-21 22:32:32 UTC 
In the cpanel updates, this issue is described as:

SEC-312: Stop reading the 'REVISION' file. This addresses an arbitrary file read vulnerability in passenger.

If there is file name REVISION found in the application root directory, its content is read (with root privileges) and it's content is later exposed via passenger-status output.  Hence a symlink attack can be used to read files accessible to the Passenger process (running as root, but possibly restricted by SELinux).
Comment 7 Sam Fowler 2017-12-20 02:21:00 UTC 
CVE-2017-1000384 is a reservation duplicate of CVE-2017-16355
Comment 8 Tomas Hoger 2017-12-20 08:56:04 UTC 
(In reply to Sam Fowler from comment #7)
> CVE-2017-1000384 is a reservation duplicate of CVE-2017-16355

I can't find any reference to explain where/why this duplication occurred.  Maybe upstream had the CVE-2017-16355 assigned when the issues was fixed and updates released, but did not make it public at the time - just like they did not provide detailed flaw description - and someone else requested the other CVE.  The upstream advisory linked in comment 0 was updated since to note CVE-2017-16355 and also provide issue details, matching the analysis noted above.
Note You need to log in before you can comment on or make changes to this bug.