[DRE-maint] Bug#921767: CVE-2018-12029

Salvatore Bonaccorso carnil at debian.org
Sat Mar 16 08:41:43 GMT 2019 

Hi,

On Fri, Feb 08, 2019 at 10:50:41PM +0100, Moritz Muehlenhoff wrote:
> Source: passenger
> Severity: grave
> Tags: security
> 
> This was assigned CVE-2018-12029:
> https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
> https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86

I think this issue should be lowered to minor or normal as it to fix
the issue specifically in the nginx module, which AFAICS is not build
in the Debian build.

Do I miss something?

I have a NMU for the current two passenger issues, which still
includes the changes for CVE-2018-12029.

Regards,
Salvatore
-------------- next part --------------
diff -Nru passenger-5.0.30/debian/changelog passenger-5.0.30/debian/changelog
--- passenger-5.0.30/debian/changelog	2016-08-21 19:24:14.000000000 +0200
+++ passenger-5.0.30/debian/changelog	2019-03-16 08:54:26.000000000 +0100
@@ -1,3 +1,13 @@
+passenger (5.0.30-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * arbitrary file read via REVISION symlink (CVE-2017-16355)
+    (Closes: #884463)
+  * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+    (Closes: #921767)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 16 Mar 2019 08:54:26 +0100
+
 passenger (5.0.30-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch passenger-5.0.30/debian/patches/CVE-2017-16355.patch
--- passenger-5.0.30/debian/patches/CVE-2017-16355.patch	1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/CVE-2017-16355.patch	2019-03-16 08:48:13.000000000 +0100
@@ -0,0 +1,73 @@
+From: "Daniel Knoppel (Phusion)" <daniel at phusion.nl>
+Date: Wed, 11 Oct 2017 15:55:07 +0200
+Subject: arbitrary file read via REVISION symlink
+Origin: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf,
+ https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16355
+Bug-Debian: https://bugs.debian.org/884463
+
+[carnil: false is actually a defined macro, but the key part of the fix is the emoval of the call to inferApplicationInfo() to adress the issue.
+---
+ src/agent/Core/SpawningKit/Spawner.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/agent/Core/SpawningKit/Spawner.h
++++ b/src/agent/Core/SpawningKit/Spawner.h
+@@ -719,7 +719,6 @@ protected:
+ 		prepareChroot(info, options);
+ 		info.userSwitching = prepareUserSwitching(options);
+ 		prepareSwitchingWorkingDirectory(info, options);
+-		inferApplicationInfo(info);
+ 		return info;
+ 	}
+ 
+@@ -773,49 +772,6 @@ protected:
+ 		assert(info.appRootPathsInsideChroot.back() == info.appRootInsideChroot);
+ 	}
+ 
+-	void inferApplicationInfo(SpawnPreparationInfo &info) const {
+-		info.codeRevision = readFromRevisionFile(info);
+-		if (info.codeRevision.empty()) {
+-			info.codeRevision = inferCodeRevisionFromCapistranoSymlink(info);
+-		}
+-	}
+-
+-	string readFromRevisionFile(const SpawnPreparationInfo &info) const {
+-		string filename = info.appRoot + "/REVISION";
+-		try {
+-			if (fileExists(filename)) {
+-				return strip(readAll(filename));
+-			}
+-		} catch (const SystemException &e) {
+-			P_WARN("Cannot access " << filename << ": " << e.what());
+-		}
+-		return string();
+-	}
+-
+-	string inferCodeRevisionFromCapistranoSymlink(const SpawnPreparationInfo &info) const {
+-		if (extractBaseName(info.appRoot) == "current") {
+-			char buf[PATH_MAX + 1];
+-			ssize_t ret;
+-
+-			do {
+-				ret = readlink(info.appRoot.c_str(), buf, PATH_MAX);
+-			} while (ret == -1 && errno == EINTR);
+-			if (ret == -1) {
+-				if (errno == EINVAL) {
+-					return string();
+-				} else {
+-					int e = errno;
+-					P_WARN("Cannot read symlink " << info.appRoot << ": " << strerror(e));
+-				}
+-			}
+-
+-			buf[ret] = '\0';
+-			return extractBaseName(buf);
+-		} else {
+-			return string();
+-		}
+-	}
+-
+ 	bool shouldLoadShellEnvvars(const Options &options, const SpawnPreparationInfo &preparation) const {
+ 		if (options.loadShellEnvvars) {
+ 			string shellName = extractBaseName(preparation.userSwitching.shell);
diff -Nru passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
--- passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch	1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch	2019-03-16 08:51:30.000000000 +0100
@@ -0,0 +1,52 @@
+From: Camden Narzt <c.narzt at me.com>
+Date: Mon, 14 May 2018 08:34:12 -0600
+Subject: Fix privilege escalation in the Nginx module
+Origin: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12029
+Bug-Debian: https://bugs.debian.org/921767
+
+The vulnerability is exploitable with a non-standard
+passenger_instance_registry_dir, via a race condition where after a file
+was created, it was chowned via the path not the file descriptor.
+
+The chown entered the code in 2010, so Passenger 4 + 5 all affected.
+---
+ src/nginx_module/ngx_http_passenger_module.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/src/nginx_module/ngx_http_passenger_module.c
++++ b/src/nginx_module/ngx_http_passenger_module.c
+@@ -186,7 +186,7 @@ starting_watchdog_after_fork(void *param
+ }
+ 
+ static ngx_int_t
+-create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len) {
++create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len, uid_t uid, gid_t gid) {
+     FILE  *f;
+     int    ret;
+     size_t total_written = 0, written;
+@@ -201,6 +201,9 @@ create_file(ngx_cycle_t *cycle, const u_
+             ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+         } while (ret == -1 && errno == EINTR);
+         do {
++            ret = fchown(fileno(f), uid, gid);
++        } while (ret == -1 && errno == EINTR);
++        do {
+             written = fwrite(contents + total_written, 1,
+                 len - total_written, f);
+             total_written += written;
+@@ -327,13 +330,10 @@ start_watchdog(ngx_cycle_t *cycle) {
+                         "%s/web_server_control_process.pid",
+                         psg_watchdog_launcher_get_instance_dir(psg_watchdog_launcher, NULL));
+     *last = (u_char) '\0';
+-    if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) {
++    if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) core_conf->user, (gid_t) -1) != NGX_OK) {
+         result = NGX_ERROR;
+         goto cleanup;
+     }
+-    do {
+-        ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) -1);
+-    } while (ret == -1 && errno == EINTR);
+     if (ret == -1) {
+         result = NGX_ERROR;
+         goto cleanup;
diff -Nru passenger-5.0.30/debian/patches/series passenger-5.0.30/debian/patches/series
--- passenger-5.0.30/debian/patches/series	2016-04-06 21:35:40.000000000 +0200
+++ passenger-5.0.30/debian/patches/series	2019-03-16 08:51:09.000000000 +0100
@@ -1,3 +1,5 @@
 fix_install_path.patch
 bin_load_path.patch
 nodejs_bin_name.patch
+CVE-2017-16355.patch
+Fix-privilege-escalation-in-the-Nginx-module.patch

More information about the Pkg-ruby-extras-maintainers mailing list