[DRE-maint] Bug#884463: passenger: CVE-2017-16355: arbitrary file read

Salvatore Bonaccorso carnil at debian.org
Sat Mar 16 08:42:58 GMT 2019 

Control: tags -1 + patch

Attaching proposed debdiff for NMU, but I'm awaiting confirmation in
#921767 to see if I miss something about the nginx module.

Regards,
Salvatore
-------------- next part --------------
diff -Nru passenger-5.0.30/debian/changelog passenger-5.0.30/debian/changelog
--- passenger-5.0.30/debian/changelog	2016-08-21 19:24:14.000000000 +0200
+++ passenger-5.0.30/debian/changelog	2019-03-16 08:54:26.000000000 +0100
@@ -1,3 +1,13 @@
+passenger (5.0.30-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * arbitrary file read via REVISION symlink (CVE-2017-16355)
+    (Closes: #884463)
+  * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+    (Closes: #921767)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 16 Mar 2019 08:54:26 +0100
+
 passenger (5.0.30-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch passenger-5.0.30/debian/patches/CVE-2017-16355.patch
--- passenger-5.0.30/debian/patches/CVE-2017-16355.patch	1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/CVE-2017-16355.patch	2019-03-16 08:48:13.000000000 +0100
@@ -0,0 +1,73 @@
+From: "Daniel Knoppel (Phusion)" <daniel at phusion.nl>
+Date: Wed, 11 Oct 2017 15:55:07 +0200
+Subject: arbitrary file read via REVISION symlink
+Origin: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf,
+ https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16355
+Bug-Debian: https://bugs.debian.org/884463
+
+[carnil: false is actually a defined macro, but the key part of the fix is the emoval of the call to inferApplicationInfo() to adress the issue.
+---
+ src/agent/Core/SpawningKit/Spawner.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/agent/Core/SpawningKit/Spawner.h
++++ b/src/agent/Core/SpawningKit/Spawner.h
+@@ -719,7 +719,6 @@ protected:
+ 		prepareChroot(info, options);
+ 		info.userSwitching = prepareUserSwitching(options);
+ 		prepareSwitchingWorkingDirectory(info, options);
+-		inferApplicationInfo(info);
+ 		return info;
+ 	}
+ 
+@@ -773,49 +772,6 @@ protected:
+ 		assert(info.appRootPathsInsideChroot.back() == info.appRootInsideChroot);
+ 	}
+ 
+-	void inferApplicationInfo(SpawnPreparationInfo &info) const {
+-		info.codeRevision = readFromRevisionFile(info);
+-		if (info.codeRevision.empty()) {
+-			info.codeRevision = inferCodeRevisionFromCapistranoSymlink(info);
+-		}
+-	}
+-
+-	string readFromRevisionFile(const SpawnPreparationInfo &info) const {
+-		string filename = info.appRoot + "/REVISION";
+-		try {
+-			if (fileExists(filename)) {
+-				return strip(readAll(filename));
+-			}
+-		} catch (const SystemException &e) {
+-			P_WARN("Cannot access " << filename << ": " << e.what());
+-		}
+-		return string();
+-	}
+-
+-	string inferCodeRevisionFromCapistranoSymlink(const SpawnPreparationInfo &info) const {
+-		if (extractBaseName(info.appRoot) == "current") {
+-			char buf[PATH_MAX + 1];
+-			ssize_t ret;
+-
+-			do {
+-				ret = readlink(info.appRoot.c_str(), buf, PATH_MAX);
+-			} while (ret == -1 && errno == EINTR);
+-			if (ret == -1) {
+-				if (errno == EINVAL) {
+-					return string();
+-				} else {
+-					int e = errno;
+-					P_WARN("Cannot read symlink " << info.appRoot << ": " << strerror(e));
+-				}
+-			}
+-
+-			buf[ret] = '\0';
+-			return extractBaseName(buf);
+-		} else {
+-			return string();
+-		}
+-	}
+-
+ 	bool shouldLoadShellEnvvars(const Options &options, const SpawnPreparationInfo &preparation) const {
+ 		if (options.loadShellEnvvars) {
+ 			string shellName = extractBaseName(preparation.userSwitching.shell);
diff -Nru passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
--- passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch	1970-01-01 01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch	2019-03-16 08:51:30.000000000 +0100
@@ -0,0 +1,52 @@
+From: Camden Narzt <c.narzt at me.com>
+Date: Mon, 14 May 2018 08:34:12 -0600
+Subject: Fix privilege escalation in the Nginx module
+Origin: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12029
+Bug-Debian: https://bugs.debian.org/921767
+
+The vulnerability is exploitable with a non-standard
+passenger_instance_registry_dir, via a race condition where after a file
+was created, it was chowned via the path not the file descriptor.
+
+The chown entered the code in 2010, so Passenger 4 + 5 all affected.
+---
+ src/nginx_module/ngx_http_passenger_module.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/src/nginx_module/ngx_http_passenger_module.c
++++ b/src/nginx_module/ngx_http_passenger_module.c
+@@ -186,7 +186,7 @@ starting_watchdog_after_fork(void *param
+ }
+ 
+ static ngx_int_t
+-create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len) {
++create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len, uid_t uid, gid_t gid) {
+     FILE  *f;
+     int    ret;
+     size_t total_written = 0, written;
+@@ -201,6 +201,9 @@ create_file(ngx_cycle_t *cycle, const u_
+             ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+         } while (ret == -1 && errno == EINTR);
+         do {
++            ret = fchown(fileno(f), uid, gid);
++        } while (ret == -1 && errno == EINTR);
++        do {
+             written = fwrite(contents + total_written, 1,
+                 len - total_written, f);
+             total_written += written;
+@@ -327,13 +330,10 @@ start_watchdog(ngx_cycle_t *cycle) {
+                         "%s/web_server_control_process.pid",
+                         psg_watchdog_launcher_get_instance_dir(psg_watchdog_launcher, NULL));
+     *last = (u_char) '\0';
+-    if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) {
++    if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) core_conf->user, (gid_t) -1) != NGX_OK) {
+         result = NGX_ERROR;
+         goto cleanup;
+     }
+-    do {
+-        ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) -1);
+-    } while (ret == -1 && errno == EINTR);
+     if (ret == -1) {
+         result = NGX_ERROR;
+         goto cleanup;
diff -Nru passenger-5.0.30/debian/patches/series passenger-5.0.30/debian/patches/series
--- passenger-5.0.30/debian/patches/series	2016-04-06 21:35:40.000000000 +0200
+++ passenger-5.0.30/debian/patches/series	2019-03-16 08:51:09.000000000 +0100
@@ -1,3 +1,5 @@
 fix_install_path.patch
 bin_load_path.patch
 nodejs_bin_name.patch
+CVE-2017-16355.patch
+Fix-privilege-escalation-in-the-Nginx-module.patch

More information about the Pkg-ruby-extras-maintainers mailing list