[DRE-maint] Bug#736958: marked as done (ruby-passenger: CVE-2014-1831: insecure use of /tmp)

Sat, 08 Mar 2014 10:40:19 -0800 

Your message dated Sat, 08 Mar 2014 18:34:14 +0000
with message-id <[email protected]>
and subject line Bug#736958: fixed in ruby-passenger 4.0.37-1
has caused the Debian Bug report #736958,
regarding ruby-passenger: CVE-2014-1831: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
736958: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736958
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: ruby-passenger
Version: 4.0.35-1
Severity: important
Tags: security

Upstream has just committed a fix a security vulnerability:
https://github.com/phusion/passenger/commit/34b1087870c2

Quoting the NEWS file:

Urgency: low
Scope: local exploit
Summary: writing files to arbitrary directory by hijacking temp directories 
Affected versions: 4.0.5 and later
Fixed versions: 4.0.37

Description:
Phusion Passenger creates a "server instance directory" in /tmp during startup, which is a temporary directory that Phusion Passenger uses to store working files. This directory is deleted after Phusion Passenger exits. For various technical reasons, this directory must have a semi-predictable filename. If a local attacker can predict this filename, and precreates a symlink with the same filename that points to an arbitrary directory with mode 755, owner root and group root, then the attacker will succeed in making Phusion Passenger write files and create subdirectories inside that target directory. The following files/subdirectories are created: 

* control_process.pid
* generation-X, where X is a number.
If you happen to have a file inside the target directory called `control_process.pid`, then that file's contents are overwritten.
These files and directories are deleted during Phusion Passenger exit. The target directory itself is not deleted, nor are any other contents inside the target directory, although the symlink is. 

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: ruby-passenger
Source-Version: 4.0.37-1

We believe that the bug you reported is fixed in the latest version of
ruby-passenger, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Geyer <[email protected]> (supplier of updated ruby-passenger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 08 Mar 2014 18:15:49 +0100
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 4.0.37-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 
<[email protected]>
Changed-By: Felix Geyer <[email protected]>
Description: 
 libapache2-mod-passenger - Rails and Rack support for Apache2
 ruby-passenger - Rails and Rack support
 ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 736958
Changes: 
 ruby-passenger (4.0.37-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2014-1831: insecure use of /tmp. (Closes: #736958)
 .
   [ Cédric Boutillier ]
   * Move upstream GPG key into debian/upstream.
 .
   [ Felix Geyer ]
   * Make sure the build flags are used for all source files.
     - Export CFLAGS and CPPFLAGS as EXTRA_CFLAGS.
   * Don't mention nginx in the package description as it isn't actually
     supported in this package.
Checksums-Sha1: 
 0652a1834f597d9ce52c0c2e22e8d59ac80fe1fa 2460 ruby-passenger_4.0.37-1.dsc
 db3d21fdbb68403fc43a39de0ab485e8e0444922 4052133 
ruby-passenger_4.0.37.orig.tar.gz
 c1735151c7bfbf6b3f72f4935459f04b85649d0a 14336 
ruby-passenger_4.0.37-1.debian.tar.xz
 693d2f4885d39e650db454608b578769d0d9b18c 754052 
ruby-passenger_4.0.37-1_amd64.deb
 78d00624961b566cb99eda9374135ff0e4eb3dfa 246586 
libapache2-mod-passenger_4.0.37-1_amd64.deb
 12f2821d0a223544a4a5c7ef6dabf7626b6d1137 622580 
ruby-passenger-doc_4.0.37-1_all.deb
Checksums-Sha256: 
 e84755a5142cb7bc445c633728d5e97b38402c78ce99269b358aeae0b2fadb81 2460 
ruby-passenger_4.0.37-1.dsc
 37146232602f4f579e12e97221638eea88b9c4b6b27970ac5ad5a13a6144c80f 4052133 
ruby-passenger_4.0.37.orig.tar.gz
 41522daf13340b48233c09fa26d3d9a5f5075cae1421ee619131ed1b7d766809 14336 
ruby-passenger_4.0.37-1.debian.tar.xz
 941d70a42e5f70850e070b89051515e17dd73a4d1f2d4a9cda7682d45747c3f3 754052 
ruby-passenger_4.0.37-1_amd64.deb
 bbfdc9a6d24ccb57014f01a04ed35451e6531e9a70293a9d94e2c5d1ca383aff 246586 
libapache2-mod-passenger_4.0.37-1_amd64.deb
 52429ec90f90893a03e4a114d20cf305e6bb2ab53ab0cc4d30cce9ad0281bd27 622580 
ruby-passenger-doc_4.0.37-1_all.deb
Files: 
 1158528d98da0cc4e4dcef5587938989 2460 ruby optional ruby-passenger_4.0.37-1.dsc
 4a7ba97c127b9923e752244e8ef954e4 4052133 ruby optional 
ruby-passenger_4.0.37.orig.tar.gz
 edc9ad4ec59b1dc73a241b699a756bbd 14336 ruby optional 
ruby-passenger_4.0.37-1.debian.tar.xz
 4f6f967d9af12ef87ec5747526b7350d 754052 ruby optional 
ruby-passenger_4.0.37-1_amd64.deb
 9cb49480a067a83163fe791aed5e15e4 246586 httpd optional 
libapache2-mod-passenger_4.0.37-1_amd64.deb
 418bca94ce3533cda6282aaf9822e43f 622580 doc optional 
ruby-passenger-doc_4.0.37-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTG11OAAoJEP4ixv2DE11FCe0QALFs3PhOYHjXoxpR8du0QfxT
5zy6/Bl0MrTUnGbyfh9Wvw9uKCoS09JFAm0fUTIRELU700RVg69SB/l4b+oZr9B9
YHlvdzWoAfBTAf3RsCBoqqYX9SUP2uNbJ/K1rwLFdqClml0d0+fS6ytyiUAjtNf2
0E6ia4S5I664boKpA5icl1GGsi140Up6juXqogs6pETkiVQMnzdSkjMu7OLvibUP
XpMS3fMY2yrxIsKGW+uQfqsIk+KsiswfpNz8xrkMFtxOFWgdmqSPAqpVYIwLyXOZ
1XYo7Cfw1qfrA5wxKdNOFEEPnQ929Y4ZnyUdaSJJ1vpChaaghtTy0v/P1C2GyC8M
kRBQLk0A51ICAatpFnVH6UGgAwgeMZ++OtCUMOccZGShSvUGTLxrKE15gr1sx8Mf
3lOuHKE/NuDZ7+cG2VrQC/foESFoS8nnvNW1dkSYhj7FrcYiWKdIbORbiBIUqFmI
syhqna6SZDj82YJ+eC9sLsdSpF5wpzepNqJVTwm7hkU33bGFNAePfsV9BDCG+TYz
BLjuF2/u74kvIbWuD/4QeXlz9dZ4ZJR0tdrp9b63vlKNzHsChmlIOgf6u3KF+0Ua
BUk1dXfYcuMfDD8NbnZ9mSEjIylrutdOqLnvnOmVkeorCti4DAcsqAtToUWUmLKt
gIzpwWtppPbvZIbvg7o8
=6IHI
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

Reply via email to