While looking at CVE-2013-2119 I noticed that Phusion Passenger 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to create directories in /tmp (e.g. /tmp/phusion.$$) for use by the application and web server. A local user could create the directories and have write access to directories, and possibly files used by the application. I haven't confirmed, but I guess this would allow some sort of privilege escalation to the user executing the application or at least access to otherwise restricted data. Additionally, some of the subdirectories might be chown(2)ed to a different user even if the directory already existed (it chowns iff mkdir(1) returns 0). Not sure if it could have an impact, however. Later versions of Phusion Passenger (namely, 3.0.13) use mkdir(2) directly but it only checks for EEXIST, in which case it even skips the chown. The directory is chmod'ed and chown'ed otherwise. So, at least in 3.0.13 a file could be created instead of a directory and the code would go on, while in 2.2.11 one would need to win the race condition in mkdir(1) -p's stat check. Does anyone know enough about phusion passenger to know what the impact could be? (and depending on that, assigning CVE id(s)) Cheers,