[DRE-maint] Bug#736958: ruby-passenger: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Wed Jan 29 10:25:06 UTC 2014
* Jakub Wilk <jwilk at debian.org>, 2014-01-28, 20:20:
>Upstream has just committed a fix a security vulnerability:
>https://github.com/phusion/passenger/commit/34b1087870c2
Raphael Geissert noticed[0] that the fix is incomplete:
>One thing to notice, however, is that there's a race condition between
>the stat check introduced in 34b1087870c2.
>The following sequence still triggers the bogus behaviour:
>
><user> mkdir $dir
><phusion> lstat() (getFileTypeNoFollowSymlinks)
><user> rmdir $dir
><user> ln -s /target $dir
><phusion> stat() (from verifyDirectoryPermissions)
[0] http://www.openwall.com/lists/oss-security/2014/01/29/6
--
Jakub Wilk
More information about the Pkg-ruby-extras-maintainers
mailing list