[DRE-maint] Bug#884463: passenger: CVE-2017-16355: arbitrary file read
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 16 08:42:58 GMT 2019
Control: tags -1 + patch
Attaching proposed debdiff for NMU, but I'm awaiting confirmation in
#921767 to see if I miss something about the nginx module.
Regards,
Salvatore
-------------- next part --------------
diff -Nru passenger-5.0.30/debian/changelog passenger-5.0.30/debian/changelog
--- passenger-5.0.30/debian/changelog 2016-08-21 19:24:14.000000000 +0200
+++ passenger-5.0.30/debian/changelog 2019-03-16 08:54:26.000000000 +0100
@@ -1,3 +1,13 @@
+passenger (5.0.30-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * arbitrary file read via REVISION symlink (CVE-2017-16355)
+ (Closes: #884463)
+ * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+ (Closes: #921767)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 16 Mar 2019 08:54:26 +0100
+
passenger (5.0.30-1) unstable; urgency=medium
* New upstream release.
diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch passenger-5.0.30/debian/patches/CVE-2017-16355.patch
--- passenger-5.0.30/debian/patches/CVE-2017-16355.patch 1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/CVE-2017-16355.patch 2019-03-16 08:48:13.000000000 +0100
@@ -0,0 +1,73 @@
+From: "Daniel Knoppel (Phusion)" <daniel at phusion.nl>
+Date: Wed, 11 Oct 2017 15:55:07 +0200
+Subject: arbitrary file read via REVISION symlink
+Origin: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf,
+ https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16355
+Bug-Debian: https://bugs.debian.org/884463
+
+[carnil: false is actually a defined macro, but the key part of the fix is the emoval of the call to inferApplicationInfo() to adress the issue.
+---
+ src/agent/Core/SpawningKit/Spawner.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/agent/Core/SpawningKit/Spawner.h
++++ b/src/agent/Core/SpawningKit/Spawner.h
+@@ -719,7 +719,6 @@ protected:
+ prepareChroot(info, options);
+ info.userSwitching = prepareUserSwitching(options);
+ prepareSwitchingWorkingDirectory(info, options);
+- inferApplicationInfo(info);
+ return info;
+ }
+
+@@ -773,49 +772,6 @@ protected:
+ assert(info.appRootPathsInsideChroot.back() == info.appRootInsideChroot);
+ }
+
+- void inferApplicationInfo(SpawnPreparationInfo &info) const {
+- info.codeRevision = readFromRevisionFile(info);
+- if (info.codeRevision.empty()) {
+- info.codeRevision = inferCodeRevisionFromCapistranoSymlink(info);
+- }
+- }
+-
+- string readFromRevisionFile(const SpawnPreparationInfo &info) const {
+- string filename = info.appRoot + "/REVISION";
+- try {
+- if (fileExists(filename)) {
+- return strip(readAll(filename));
+- }
+- } catch (const SystemException &e) {
+- P_WARN("Cannot access " << filename << ": " << e.what());
+- }
+- return string();
+- }
+-
+- string inferCodeRevisionFromCapistranoSymlink(const SpawnPreparationInfo &info) const {
+- if (extractBaseName(info.appRoot) == "current") {
+- char buf[PATH_MAX + 1];
+- ssize_t ret;
+-
+- do {
+- ret = readlink(info.appRoot.c_str(), buf, PATH_MAX);
+- } while (ret == -1 && errno == EINTR);
+- if (ret == -1) {
+- if (errno == EINVAL) {
+- return string();
+- } else {
+- int e = errno;
+- P_WARN("Cannot read symlink " << info.appRoot << ": " << strerror(e));
+- }
+- }
+-
+- buf[ret] = '\0';
+- return extractBaseName(buf);
+- } else {
+- return string();
+- }
+- }
+-
+ bool shouldLoadShellEnvvars(const Options &options, const SpawnPreparationInfo &preparation) const {
+ if (options.loadShellEnvvars) {
+ string shellName = extractBaseName(preparation.userSwitching.shell);
diff -Nru passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
--- passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch 1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch 2019-03-16 08:51:30.000000000 +0100
@@ -0,0 +1,52 @@
+From: Camden Narzt <c.narzt at me.com>
+Date: Mon, 14 May 2018 08:34:12 -0600
+Subject: Fix privilege escalation in the Nginx module
+Origin: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12029
+Bug-Debian: https://bugs.debian.org/921767
+
+The vulnerability is exploitable with a non-standard
+passenger_instance_registry_dir, via a race condition where after a file
+was created, it was chowned via the path not the file descriptor.
+
+The chown entered the code in 2010, so Passenger 4 + 5 all affected.
+---
+ src/nginx_module/ngx_http_passenger_module.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/src/nginx_module/ngx_http_passenger_module.c
++++ b/src/nginx_module/ngx_http_passenger_module.c
+@@ -186,7 +186,7 @@ starting_watchdog_after_fork(void *param
+ }
+
+ static ngx_int_t
+-create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len) {
++create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len, uid_t uid, gid_t gid) {
+ FILE *f;
+ int ret;
+ size_t total_written = 0, written;
+@@ -201,6 +201,9 @@ create_file(ngx_cycle_t *cycle, const u_
+ ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ } while (ret == -1 && errno == EINTR);
+ do {
++ ret = fchown(fileno(f), uid, gid);
++ } while (ret == -1 && errno == EINTR);
++ do {
+ written = fwrite(contents + total_written, 1,
+ len - total_written, f);
+ total_written += written;
+@@ -327,13 +330,10 @@ start_watchdog(ngx_cycle_t *cycle) {
+ "%s/web_server_control_process.pid",
+ psg_watchdog_launcher_get_instance_dir(psg_watchdog_launcher, NULL));
+ *last = (u_char) '\0';
+- if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) {
++ if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) core_conf->user, (gid_t) -1) != NGX_OK) {
+ result = NGX_ERROR;
+ goto cleanup;
+ }
+- do {
+- ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) -1);
+- } while (ret == -1 && errno == EINTR);
+ if (ret == -1) {
+ result = NGX_ERROR;
+ goto cleanup;
diff -Nru passenger-5.0.30/debian/patches/series passenger-5.0.30/debian/patches/series
--- passenger-5.0.30/debian/patches/series 2016-04-06 21:35:40.000000000 +0200
+++ passenger-5.0.30/debian/patches/series 2019-03-16 08:51:09.000000000 +0100
@@ -1,3 +1,5 @@
fix_install_path.patch
bin_load_path.patch
nodejs_bin_name.patch
+CVE-2017-16355.patch
+Fix-privilege-escalation-in-the-Nginx-module.patch
More information about the Pkg-ruby-extras-maintainers
mailing list