High severity7.8NVD Advisory· Published Apr 18, 2017· Updated May 13, 2026
CVE-2016-10345
CVE-2016-10345
Description
In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passengerRubyGems | < 5.1.0 | 5.1.0 |
Affected products
1Patches
1e5b4b0824d6bFix writing a tmp file with a predictable name in
2 files changed · +16 −13
bin/passenger-install-nginx-module+15 −13 modified@@ -38,11 +38,11 @@ PhusionPassenger.locate_directories require 'digest/sha2' require 'optparse' require 'fileutils' +require 'tmpdir' PhusionPassenger.require_passenger_lib 'platform_info/ruby' PhusionPassenger.require_passenger_lib 'platform_info/openssl' PhusionPassenger.require_passenger_lib 'abstract_installer' PhusionPassenger.require_passenger_lib 'utils/terminal_choice_menu' -PhusionPassenger.require_passenger_lib 'utils/tmpio' PhusionPassenger.require_passenger_lib 'utils/shellwords' DOWNLOAD_OPTION = { @@ -566,19 +566,21 @@ private def pcre_is_installed? if @pcre_is_installed.nil? - @pcre_is_installed = begin - File.open('/tmp/passenger-check.c', 'w') do |f| - f.puts("#include <pcre.h>") - end - Dir.chdir('/tmp') do - # Nginx checks for PCRE in multiple places... - system("(gcc -I/usr/local/include -I/usr/include/pcre " << - "-I/usr/pkg/include -I/opt/local/include " << - "-c passenger-check.c) >/dev/null 2>/dev/null") + Dir.mktmpdir do |safe_tmpdir| + @pcre_is_installed = begin + File.open("#{safe_tmpdir}/passenger-check.c", 'w') do |f| + f.puts("#include <pcre.h>") + end + Dir.chdir("#{safe_tmpdir}") do + # Nginx checks for PCRE in multiple places... + system("(gcc -I/usr/local/include -I/usr/include/pcre " << + "-I/usr/pkg/include -I/opt/local/include " << + "-c passenger-check.c) >/dev/null 2>/dev/null") + end + ensure + File.unlink("#{safe_tmpdir}/passenger-check.c") rescue nil + File.unlink("#{safe_tmpdir}/passenger-check.o") rescue nil end - ensure - File.unlink('/tmp/passenger-check.c') rescue nil - File.unlink('/tmp/passenger-check.o') rescue nil end end return @pcre_is_installed
CHANGELOG+1 −0 modified@@ -16,6 +16,7 @@ Next version (not yet released) * Fixes an issue where passenger-config couldn't restart an app if the TMPDIR variable was set to /tmp * `passenger-install-apache-module` now suggests the correct apache package on Ubuntu Xenial. Closes GH-1884. * [Standalone] The TempDirToucher will now spend most of its time with reduced privileges, except when it's actively touching files. This allows it to be killed when Passenger is quit in most circumstances. Closes GH-1678. + * Fixes a file overwrite vulnerability caused by a predictable temporary file being written by `passenger-install-nginx-module`. Thanks to Jeremy Evans for reporting this. * [Standalone] Fixes starting Passenger as a non-extant user. Closes GH-1849. * Improved look of the error pages for failing to spawn an application (development & production mode), and Error ID is now also shown in production mode. * [Standalone] Enable ipv6 support by default in builtin nginx. Closes GH-1873.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/phusion/passenger/blob/stable-5.1/CHANGELOGnvdPatchRelease NotesWEB
- github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441nvdPatchWEB
- github.com/advisories/GHSA-cqxw-3p7v-p9grghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10345ghsaADVISORY
- blog.phusion.nl/2017/01/10/passenger-5-1-1ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/passenger/CVE-2016-10345.ymlghsaWEB
News mentions
0No linked articles in our index yet.