[DRE-maint] Bug#921767: CVE-2018-12029
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 16 08:41:43 GMT 2019
Hi,
On Fri, Feb 08, 2019 at 10:50:41PM +0100, Moritz Muehlenhoff wrote:
> Source: passenger
> Severity: grave
> Tags: security
>
> This was assigned CVE-2018-12029:
> https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/
> https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
I think this issue should be lowered to minor or normal as it to fix
the issue specifically in the nginx module, which AFAICS is not build
in the Debian build.
Do I miss something?
I have a NMU for the current two passenger issues, which still
includes the changes for CVE-2018-12029.
Regards,
Salvatore
-------------- next part --------------
diff -Nru passenger-5.0.30/debian/changelog passenger-5.0.30/debian/changelog
--- passenger-5.0.30/debian/changelog 2016-08-21 19:24:14.000000000 +0200
+++ passenger-5.0.30/debian/changelog 2019-03-16 08:54:26.000000000 +0100
@@ -1,3 +1,13 @@
+passenger (5.0.30-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * arbitrary file read via REVISION symlink (CVE-2017-16355)
+ (Closes: #884463)
+ * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+ (Closes: #921767)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 16 Mar 2019 08:54:26 +0100
+
passenger (5.0.30-1) unstable; urgency=medium
* New upstream release.
diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch passenger-5.0.30/debian/patches/CVE-2017-16355.patch
--- passenger-5.0.30/debian/patches/CVE-2017-16355.patch 1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/CVE-2017-16355.patch 2019-03-16 08:48:13.000000000 +0100
@@ -0,0 +1,73 @@
+From: "Daniel Knoppel (Phusion)" <daniel at phusion.nl>
+Date: Wed, 11 Oct 2017 15:55:07 +0200
+Subject: arbitrary file read via REVISION symlink
+Origin: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf,
+ https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16355
+Bug-Debian: https://bugs.debian.org/884463
+
+[carnil: false is actually a defined macro, but the key part of the fix is the emoval of the call to inferApplicationInfo() to adress the issue.
+---
+ src/agent/Core/SpawningKit/Spawner.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/agent/Core/SpawningKit/Spawner.h
++++ b/src/agent/Core/SpawningKit/Spawner.h
+@@ -719,7 +719,6 @@ protected:
+ prepareChroot(info, options);
+ info.userSwitching = prepareUserSwitching(options);
+ prepareSwitchingWorkingDirectory(info, options);
+- inferApplicationInfo(info);
+ return info;
+ }
+
+@@ -773,49 +772,6 @@ protected:
+ assert(info.appRootPathsInsideChroot.back() == info.appRootInsideChroot);
+ }
+
+- void inferApplicationInfo(SpawnPreparationInfo &info) const {
+- info.codeRevision = readFromRevisionFile(info);
+- if (info.codeRevision.empty()) {
+- info.codeRevision = inferCodeRevisionFromCapistranoSymlink(info);
+- }
+- }
+-
+- string readFromRevisionFile(const SpawnPreparationInfo &info) const {
+- string filename = info.appRoot + "/REVISION";
+- try {
+- if (fileExists(filename)) {
+- return strip(readAll(filename));
+- }
+- } catch (const SystemException &e) {
+- P_WARN("Cannot access " << filename << ": " << e.what());
+- }
+- return string();
+- }
+-
+- string inferCodeRevisionFromCapistranoSymlink(const SpawnPreparationInfo &info) const {
+- if (extractBaseName(info.appRoot) == "current") {
+- char buf[PATH_MAX + 1];
+- ssize_t ret;
+-
+- do {
+- ret = readlink(info.appRoot.c_str(), buf, PATH_MAX);
+- } while (ret == -1 && errno == EINTR);
+- if (ret == -1) {
+- if (errno == EINVAL) {
+- return string();
+- } else {
+- int e = errno;
+- P_WARN("Cannot read symlink " << info.appRoot << ": " << strerror(e));
+- }
+- }
+-
+- buf[ret] = '\0';
+- return extractBaseName(buf);
+- } else {
+- return string();
+- }
+- }
+-
+ bool shouldLoadShellEnvvars(const Options &options, const SpawnPreparationInfo &preparation) const {
+ if (options.loadShellEnvvars) {
+ string shellName = extractBaseName(preparation.userSwitching.shell);
diff -Nru passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
--- passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch 1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch 2019-03-16 08:51:30.000000000 +0100
@@ -0,0 +1,52 @@
+From: Camden Narzt <c.narzt at me.com>
+Date: Mon, 14 May 2018 08:34:12 -0600
+Subject: Fix privilege escalation in the Nginx module
+Origin: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12029
+Bug-Debian: https://bugs.debian.org/921767
+
+The vulnerability is exploitable with a non-standard
+passenger_instance_registry_dir, via a race condition where after a file
+was created, it was chowned via the path not the file descriptor.
+
+The chown entered the code in 2010, so Passenger 4 + 5 all affected.
+---
+ src/nginx_module/ngx_http_passenger_module.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/src/nginx_module/ngx_http_passenger_module.c
++++ b/src/nginx_module/ngx_http_passenger_module.c
+@@ -186,7 +186,7 @@ starting_watchdog_after_fork(void *param
+ }
+
+ static ngx_int_t
+-create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len) {
++create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len, uid_t uid, gid_t gid) {
+ FILE *f;
+ int ret;
+ size_t total_written = 0, written;
+@@ -201,6 +201,9 @@ create_file(ngx_cycle_t *cycle, const u_
+ ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ } while (ret == -1 && errno == EINTR);
+ do {
++ ret = fchown(fileno(f), uid, gid);
++ } while (ret == -1 && errno == EINTR);
++ do {
+ written = fwrite(contents + total_written, 1,
+ len - total_written, f);
+ total_written += written;
+@@ -327,13 +330,10 @@ start_watchdog(ngx_cycle_t *cycle) {
+ "%s/web_server_control_process.pid",
+ psg_watchdog_launcher_get_instance_dir(psg_watchdog_launcher, NULL));
+ *last = (u_char) '\0';
+- if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) {
++ if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) core_conf->user, (gid_t) -1) != NGX_OK) {
+ result = NGX_ERROR;
+ goto cleanup;
+ }
+- do {
+- ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) -1);
+- } while (ret == -1 && errno == EINTR);
+ if (ret == -1) {
+ result = NGX_ERROR;
+ goto cleanup;
diff -Nru passenger-5.0.30/debian/patches/series passenger-5.0.30/debian/patches/series
--- passenger-5.0.30/debian/patches/series 2016-04-06 21:35:40.000000000 +0200
+++ passenger-5.0.30/debian/patches/series 2019-03-16 08:51:09.000000000 +0100
@@ -1,3 +1,5 @@
fix_install_path.patch
bin_load_path.patch
nodejs_bin_name.patch
+CVE-2017-16355.patch
+Fix-privilege-escalation-in-the-Nginx-module.patch
More information about the Pkg-ruby-extras-maintainers
mailing list