Bugzilla – Bug 1097663
VUL-0: CVE-2018-12029: rubygem-passenger: CHMOD race vulnerability
Last modified: 2019-05-01 14:18:57 UTC
https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ [CVE-2018-12029] CHMOD race vulnerability The Pulse Security team discovered a vulnerability in Passenger. The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 (the chown command entered the code in 2010). The vulnerability was exploitable only when running a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, there was a window in which it could be replaced with a symlink before it was chowned via the path and not the file descriptor. If the symlink target was to a file which would be executed by root such as root's crontab file, then privilege escalation was possible. This is now mitigated by using fchmod(). Improved security warnings for various directories We recognized that CVE-2018-12029 could be an indication of a larger class of similar vulnerabilities, so we immediately started investigating our codebase for other vulnerabilities. We found that a lot of security properties depend on the security of various directories that the user configured Passenger to use. Therefore, we've introduced more security checks into Passenger. We now check the permissions on the instance registry directory in the same way we already check the Passenger root directory. If the instance registry directory is not secure, that can result in arbitrary file overwrites so it's good practice to fix these warnings if you see them. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12029 https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
This looks like the upstream fix: https://github.com/phusion/passenger/commit/9ed61bb4641ba1f5158fca3840d4e4088805b5af
Manuel, could you also take this one provided you are already working on https://bugzilla.suse.com/show_bug.cgi?id=1097655 ?
I think that are the commits we need: https://github.com/phusion/passenger/commit/9ed61bb4641ba1f5158fca3840d4e4088805b5af https://github.com/phusion/passenger/commit/4f663c8246f529e32575d50196d11cde12a6dfda I'm in the contact with the phusion security team to verify that I don't miss a commit which is needed to address this CVE.
SUSE-SU-2018:2039-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1097663 CVE References: CVE-2018-12029 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): rubygem-passenger-5.0.18-12.9.1
(In reply to Swamp Workflow Management from comment #5) > SUSE-SU-2018:2039-1: An update that fixes one vulnerability is now available. > > Category: security (moderate) > Bug References: 1097663 > CVE References: CVE-2018-12029 > Sources used: > SUSE Linux Enterprise Module for Containers 12 (src): > rubygem-passenger-5.0.18-12.9.1 closing