|
Message-ID: <51315259.4020405@redhat.com> Date: Fri, 01 Mar 2013 18:14:01 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Marcus Meissner <meissner@...e.de> Subject: Re: CVE Request: rubygem passenger security issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/01/2013 09:46 AM, Marcus Meissner wrote: > Hi, > > https://bugzilla.novell.com/show_bug.cgi?id=804722 > https://github.com/FooBarWidget/passenger/commit/8c6693e0818772c345c979840d28312c2edd4ba4#commitcomment-2643541 > > Quoting: > > There is a security issue regarding passenger that has been fixed > in master. However, this does only apply if you deploy arbitrary > untrusted apps on you server. Very unlikely for us but still I > thought it was worth to inform you. > > It fixes a security issue, but unless you're on a shared > environment it's not a grave issue. It allows an application > process to delete an arbitrary file, even a file it does not have > permi ssion to, but only during application startup (i.e. during > evaluation of config.ru). Once the application is started, it > cannot be exploited, so external visitors cannot influence this. If > you deploy arbitrary untrusted apps on your server then this issue > can be a problem. If all your apps are trusted (e.g. because your > organization wrote) them then there's no problem. PaaS. Third party apps, etc. I'm gonna go with a yes. Just because you deploy a poorly written/hostile app doesn't mean it should be able to hose your system completely. Please use CVE-2012-6135 for this issue. > Unquote > > I am not sure this warrants a CVE. > > Ciao, Marcus > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRMVJZAAoJEBYNRVNeJnmTTy0P/1L2D/jZW2Tfu3VHUCkZGIGj F7tV0XRR0WM4U+ODOKXXbuaefxHfPk7jJbQH0nfSa01KXCE/RwO/Qm482w/3KeHD LXASONIfc1IQnTOWFTA7wMToB2m/P4MWFJNmKeDZEbYxVshBpuzLsN6ZKQghntaG ArHtHN1ul8A2ZD7o8aDHR7s9Jh5ml60MgFtzujUcX4eL25JdD6TLoMxywlob8WVo YWKgmCGbYrpIsz7m1xbEtrKw2v/F1l91E24HXILa/FcpRr6Wn2VLnyMA58XR7rKR JAh6dbSG58X9hlu2DMXWWvcFvVozmNoqQo23AXtRzdC/CIoau750Pw8g1PftDAk8 20CCM6yFwhFrRQZPvPa/VpD6mAzGfbdzWhGqI3og04SGyA3quKA5tmohenO3ouOB ezQiM2fseYNxOh/ru1UTxh8FXOgeKs4kizj6BCdwoNrxOycMwA5Etm8XU4Lmrg1q w9Wtwz9cZ0d/X76HNJhIY/+QeT+52AQZlDfNMxx2PZ9fL0Y8xJuD5Z+Ap1j/pSui Rbt90I6eKEfbcTD7ATcyvFWZsTMdx6rUPTGihX9UEYhlYqV0rK8GLuJRr8x6/moE DHApL7DNeGjoCHg96BfzegV+c0ps9V5tg6zeoey3bVMCU3pJDmf5psDtjC10kyVZ vRLgujtWhoVcvsypttTe =eLao -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.