Moderate severityNVD Advisory· Published Sep 30, 2013· Updated Apr 29, 2026
CVE-2013-4136
CVE-2013-4136
Description
ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | < 4.0.6 | 4.0.6 |
Affected products
5cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:phusion:passenger:*:*:*:*:*:*:*:*range: <=4.0.5
- cpe:2.3:a:phusion:passenger:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phusion:passenger:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phusion:passenger:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phusion:passenger:4.0.4:*:*:*:*:*:*:*
Patches
15483b3292cc2If the server instance directory already exists, it is now removed first in order get correct directory permissions.
3 files changed · +35 −2
ext/common/ServerInstanceDir.h+28 −1 modified@@ -30,6 +30,7 @@ #include <oxt/backtrace.hpp> #include <sys/types.h> +#include <sys/stat.h> #include <dirent.h> #include <unistd.h> #include <pwd.h> @@ -214,7 +215,33 @@ class ServerInstanceDir: public noncopyable { * rights though, because we want admin tools to be able to list the available * generations no matter what user they're running as. */ - makeDirTree(path, "u=rwx,g=rx,o=rx"); + if (owner) { + switch (getFileType(path)) { + case FT_NONEXISTANT: + createDirectory(path); + break; + case FT_DIRECTORY: + removeDirTree(path); + createDirectory(path); + break; + default: + throw RuntimeException("'" + path + "' already exists, and is not a directory"); + } + } else if (getFileType(path) != FT_DIRECTORY) { + throw RuntimeException("Server instance directory '" + path + + "' does not exist"); + } + } + + void createDirectory(const string &path) const { + // We do not use makeDirTree() here. If an attacker creates a directory + // just before we do, then we want to abort because we want the directory + // to have specific permissions. + if (mkdir(path.c_str(), parseModeString("u=rwx,g=rx,o=rx")) == -1) { + int e = errno; + throw FileSystemException("Cannot create server instance directory '" + + path + "'", e, path); + } } bool isDirectory(const string &dir, struct dirent *entry) const {
NEWS+4 −0 modified@@ -34,6 +34,10 @@ Release 4.0.6 created with the setuid bit, when it should have sticky bit (to prevent existing files from being deleted or renamed by a user that doesn't own the file). This has now been fixed. + * If the server instance directory already exists, it will now be removed + first in order get correct directory permissions. If the directory still + exists after removal, Phusion Passenger aborts to avoid writing to a + directory with unexpected permissions. Fixes issue #910. * The installer now checks whether the system has enough virtual memory, and prints a helpful warning if it doesn't. * Linux/AArch64 compatibility fixes. Patch contributed by Dirk Mueller.
test/cxx/ServerInstanceDirTest.cpp+3 −1 modified@@ -58,9 +58,11 @@ namespace tut { } TEST_METHOD(5) { - // The destructor doesnn't remove the server instance directory if it + // The destructor doesn't remove the server instance directory if it // wasn't created with the ownership flag or if it's been detached. string path, path2; + makeDirTree(parentDir + "/passenger-test.1234"); + makeDirTree(parentDir + "/passenger-test.5678"); { ServerInstanceDir dir(parentDir + "/passenger-test.1234", false); ServerInstanceDir dir2(parentDir + "/passenger-test.5678", false);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- rhn.redhat.com/errata/RHSA-2013-1136.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-w6rc-q387-vpgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4136ghsaADVISORY
- www.openwall.com/lists/oss-security/2013/07/16/6nvdWEB
- code.google.com/p/phusion-passenger/issues/detailnvdWEB
- github.com/phusion/passenger/blob/release-4.0.6/NEWSnvdWEB
- github.com/phusion/passenger/commit/5483b3292cc2af1c83033eaaadec20dba4dcfd9bnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2013-4136.ymlghsaWEB
News mentions
0No linked articles in our index yet.