Bug#840685: tomcat8: DSA-3670 incomplete

Markus Koschany apo at debian.org
Thu Oct 13 21:06:45 UTC 2016


On 13.10.2016 22:22, Paul Szabo wrote:
> Package: tomcat8
> Version: 8.0.14-1+deb8u3
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> 
> [ I contacted team at security.debian.org about this, but no response ... ]

I am CCing the security team in case they want to chime in here.

> 
> Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:
> 
> ...
> NAME=tomcat8
> ...
> JVM_TMP=/tmp/tomcat8-$NAME-tmp
> ...
> 		# Remove / recreate JVM_TMP directory
> 		rm -rf "$JVM_TMP"
> 		mkdir -p "$JVM_TMP" || {
> 			log_failure_msg "could not create JVM temporary directory"
> 			exit 1
> 		}
> 		chown $TOMCAT8_USER "$JVM_TMP"
> ...

No, we did not modify this part in /etc/init.d/tomcat8. We fixed
CVE-2016-1240 by applying this patch

https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?h=jessie&id=9a9fd4f1cae13304beed6d4e445d1be8a3917fe0


> That suffers from a TOCTOU race condition.
> 
> An attacker can, after the "rm -rf", create a symlink to /etc. Then
> "mkdir -p" returns success (though does nothing); and chown follows
> the symlink. That is "game over": ability to replace /etc/passwd.
> 
> The attacker can use inotify and act quickly, and have a good chance
> of winning the race to create the symlink before the init.d script
> starts a new mkdir process.
> 
> Do you need some working PoC code?

I don't understand how this affects our solution for CVE-2016-1240. If
you claim this is a new issue, then more information and a working proof
of concept code are appreciated. Please send them to the security team
first and not to a public mailing list.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161013/078b9102/attachment.sig>


More information about the pkg-java-maintainers mailing list