CVE-2017-16355

In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.

References

Affected packages

Git / github.com/phusion/passenger

Affected ranges

Type

GIT

Repo

https://github.com/phusion/passenger

Events

Introduced

6c1e97c21d2eed80d8509254b8101cf69b6dbea4

Fixed

964eb13ba0d3627142b83637c73a7e5a2c4b0b9c

Introduced

6c1e97c21d2eed80d8509254b8101cf69b6dbea4

Fixed

5ea7a4b440c973c30a8f54f8c6a9b861024602f0

Fixed

4043718264095cde6623c2cbe8c644541036d7bf

Database specific

{
    "versions": [
        {
            "introduced": "5.0.10"
        },
        {
            "fixed": "5.1.10"
        },
        {
            "introduced": "5.0.10"
        },
        {
            "fixed": "5.1.11"
        }
    ]
}

Affected versions

release-5.*

release-5.0.10

release-5.0.11

release-5.0.13

release-5.0.14

release-5.0.15

release-5.0.16

release-5.0.17

release-5.0.18

release-5.0.19

release-5.0.20

release-5.0.21

release-5.0.22

release-5.0.23

release-5.0.24

release-5.0.25

release-5.0.26

release-5.0.27

release-5.0.28

release-5.0.29

release-5.0.30

release-5.1.0

release-5.1.1

release-5.1.2

release-5.1.3

release-5.1.4

release-5.1.5

release-5.1.6

release-5.1.7

release-5.1.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16355.json"

vanir_signatures

[
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "188108554379607614220408906131671004367",
                "47674428853023741347191324953567509750",
                "1792099942954668015730090861725044908",
                "109811301887705726907708903789478405056",
                "206675640168240253807700792709823613926",
                "62383632112134691715630883751270014217"
            ]
        },
        "source": "https://github.com/phusion/passenger/commit/5ea7a4b440c973c30a8f54f8c6a9b861024602f0",
        "signature_type": "Line",
        "id": "CVE-2017-16355-297b2d1f",
        "target": {
            "file": "test/cxx/Core/SpawningKit/SpawnerTestCases.cpp"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "268799682548938772947881921096668350310",
                "117681501307321166777979843663423129027",
                "280083727406545110470011300718420250903",
                "222560687676110990119119317121042802472",
                "235854114548696804817144001729705555967",
                "83449442481079981626893397623410921398",
                "320115127452501949654491876132754416636",
                "207948168575058203827937063282176268874",
                "327753644294967020574950308097127961444",
                "130370208306564958597886905471594157991",
                "55551024395305749768445773965125912360"
            ]
        },
        "source": "https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf",
        "signature_type": "Line",
        "id": "CVE-2017-16355-bb6469dd",
        "target": {
            "file": "src/agent/Core/SpawningKit/Spawner.h"
        }
    }
]

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    }
]