Bug#840685: tomcat8: DSA-3670 incomplete

Markus Koschany apo at debian.org
Fri Oct 14 13:54:34 UTC 2016 

On 14.10.2016 10:07, paul.szabo at sydney.edu.au wrote:
[...]
>> So while I think it should be fixed, this would not warrant a DSA,
>> since mitigated by default in Debian.
> 
> No mitigation: fix and DSA, please!

I agree with Salvatore. I have tested the following:

First of all you can only gain write permissions as the tomcat8 user if
you exploit an yet unknown security vulnerability in a web application
or Tomcat itself. Debian's tomcat8 user has no shell access by default.

So the server must be running and somehow you managed to remove
/tmp/tomcat8-tomcat8-tmp and replaced the directory with a symlink to an
arbitrary file.

Your attack vector requires that the server must be restarted. But there
is another rm -rf "$JVM_TMP" command in the stop target that would
remove your symlink again.

Ok, let's imagine that you could find a way around the rm -rf commands.
Let's remove those rm -rf "$JVM_TMP" calls in /etc/init.d/tomcat8. Then
run systemctl daemon-reload. Log in as tomcat8 user and create your
symlink for /tmp/tomcat8-tomcat8-tmp. If I run systemctl restart tomcat8
now, I get this:

Job for tomcat8.service failed because the control process exited with
error code.

The symlink is still present and nothing has changed regarding the file
permissions for my arbitrary file.

I agree that we should improve the init script in this regard but I
actually don't see a major risk like a root escalation for users at the
moment and I suggest to lower the severity of this bug report to important.

> What response time should I have expected of team at security? You had
> close to a whole day... compared to that, Markus replied within the
> hour to the Debian bug. (But he did not yet reply to my next, private
> bug/message... seems public messaging works best!)

In my opinion it is generally understood that you should give people at
least enough time to react to an e-mail and to assess the issue.
Expecting a response time in less than a day is not very reasonable,
especially when there are things like the time difference between
Australia and Europe.

Regards,

Markus


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161014/9366d600/attachment.sig>

More information about the pkg-java-maintainers mailing list