[DRE-maint] Bug#812103: CVE-2015-7519

Raphael Geissert atomo64 at gmail.com
Tue Apr 26 13:33:12 UTC 2016 

On 26 April 2016 at 10:27, Linus van Geuns <linus at vangeuns.name> wrote:
> On Tue, Apr 26, 2016 at 10:08 AM, Raphael Geissert <atomo64 at gmail.com> wrote:
>> On 19 February 2016 at 09:35, Linus van Geuns <linus at vangeuns.name> wrote:
>>> On Thu, Feb 18, 2016 at 8:35 PM, Thorsten Alteholz <debian at alteholz.de> wrote:
>>>> On irc you wrote:
>>>> 15:05 < Nirkus> have some old redmine running on squeeze-lts (yeah..) and since the update yesterday the following redmine code bails out with "private method `split' called for nil:NilClass" at the following line:
>>>> 15:06 < Nirkus> @env['QUERY_STRING'].present? ? @env['QUERY_STRING'] : (@env['REQUEST_URI'].split('?', 2)[1] || '')
>>>>
>>>> In CVE-2015-7519[1] it was detected, that it is possible to obtain
>>>> unauthorized access if you send http variables with "_" instead of "-". More information can be found here[2]. As a solution it was proposed to simply filter out all variables containing an "_". This was already done in mod_cgi of apache[3] and now I applied a similar patch to libapache2-mod-passenger as well.
>>>>
>>>> Unfortunately there seems to be software that relies on underscores in variable names. So if you need such variables you might want to use the workaround for apache, described in[2].
>>>
>>> I am only scratching the surface of Ruby, Passenger, Rack/Rails and
>>> Redminde, so corrections and clarifications welcome. :)
>>>
>> [...]
>>>
>>> I am not sure whether REQUEST_URI and QUERY_STRING are actually passed
>>> as per-request env. variables by Passenger or added to the env hash by
>>> Rack/Rails.
>>> Still, this looks like a regression to me, since it removes previously
>>> available variables, which should not be in scope of CVE-2015-7519.
>>
>> It is a regression, there's no way for applications using
>> mod_passenger to work after the latest update. Not only did the update
>> switch to a native package and drop some documentation, but it broke
>> the module.
>>
>> Granted, the package is safer now that it doesn't work.
>
> Yeah, granted
>
> "We" are no longer affected by this regression since the affected
> Redmine instance has been migrated to a current release running on
> Debian jessie.
> So, thank you for the incentive to do the right thing.

FWIW, attached patch should do it. It can be applied on top of the
non-LTS version of passenger.

Cheers,
-- 
Raphael Geissert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2015-7519.patch
Type: text/x-patch
Size: 1642 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160426/d0486017/attachment.bin>

More information about the Pkg-ruby-extras-maintainers mailing list