ruby-passenger: CVE-2014-1831: insecure use of /tmp

Debian Bug report logs - #736958
ruby-passenger: CVE-2014-1831: insecure use of /tmp

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby-passenger: insecure use of /tmp

Date: Tue, 28 Jan 2014 20:20:13 +0100

Source: ruby-passenger
Version: 4.0.35-1
Severity: important
Tags: security

Upstream has just committed a fix a security vulnerability:
https://github.com/phusion/passenger/commit/34b1087870c2

Quoting the NEWS file:

Urgency: low
Scope: local exploit
Summary: writing files to arbitrary directory by hijacking temp 
directories
Affected versions: 4.0.5 and later
Fixed versions: 4.0.37

Description:
Phusion Passenger creates a "server instance directory" in /tmp during 
startup, which is a temporary directory that Phusion Passenger uses to 
store working files.  This directory is deleted after Phusion Passenger 
exits. For various technical reasons, this directory must have a 
semi-predictable filename. If a local attacker can predict this 
filename, and precreates a symlink with the same filename that points to 
an arbitrary directory with mode 755, owner root and group root, then 
the attacker will succeed in making Phusion Passenger write files and 
create subdirectories inside that target directory. The following 
files/subdirectories are created:

* control_process.pid
* generation-X, where X is a number.

If you happen to have a file inside the target directory called 
`control_process.pid`, then that file's contents are overwritten.

These files and directories are deleted during Phusion Passenger exit. 
The target directory itself is not deleted, nor are any other contents 
inside the target directory, although the symlink is.

-- 
Jakub Wilk

Message #6 received at 736958@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 736958@bugs.debian.org

Subject: Re: Bug#736958: ruby-passenger: insecure use of /tmp

Date: Wed, 29 Jan 2014 11:25:06 +0100

* Jakub Wilk <jwilk@debian.org>, 2014-01-28, 20:20:
>Upstream has just committed a fix a security vulnerability:
>https://github.com/phusion/passenger/commit/34b1087870c2

Raphael Geissert noticed[0] that the fix is incomplete:
>One thing to notice, however, is that there's a race condition between 
>the stat check introduced in 34b1087870c2.
>The following sequence still triggers the bogus behaviour:
>
><user> mkdir $dir
><phusion> lstat() (getFileTypeNoFollowSymlinks)
><user> rmdir $dir
><user> ln -s /target $dir
><phusion> stat() (from verifyDirectoryPermissions)

[0] http://www.openwall.com/lists/oss-security/2014/01/29/6

-- 
Jakub Wilk

Message #11 received at 736958@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: oss-security@lists.openwall.com

Cc: Jakub Wilk <jwilk@debian.org>, 736958@bugs.debian.org

Subject: Re: [oss-security] CVE request: temporary file issue in Passenger rubygem

Date: Wed, 29 Jan 2014 15:02:07 +0100

On 29 January 2014 09:57, Raphael Geissert <geissert@debian.org> wrote:
[...]
> One thing to notice, however, is that there's a race condition between
> the stat check introduced in 34b1087870c2.
> The following sequence still triggers the bogus behaviour:
>
> <user> mkdir $dir
> <phusion> lstat() (getFileTypeNoFollowSymlinks)
> <user> rmdir $dir
> <user> ln -s /target $dir
> <phusion> stat() (from verifyDirectoryPermissions)
> ...

Upstream has now fixed this with the following commit (basically using
the structure from lstat() for the two checks):
https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #16 received at 736958@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: vdanen@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, geissert@debian.org, support@phusion.nl, jwilk@debian.org, 736958@bugs.debian.org

Subject: Re: CVE request: temporary file issue in Passenger rubygem

Date: Thu, 30 Jan 2014 09:26:33 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> If a local attacker can predict this filename, and precreates a
> symlink with the same filename that points to an arbitrary directory
> with mode 755, owner root and group root, then the attacker will
> succeed in making Phusion Passenger write files and create
> subdirectories inside that target directory.
> 
> It is fixed in upstream version 4.0.33.
> 
> https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744

> One thing to notice, however, is that there's a race condition between
> the stat check introduced in 34b1087870c2.
> The following sequence still triggers the bogus behaviour:
> 
> <user> mkdir $dir
> <phusion> lstat() (getFileTypeNoFollowSymlinks)
> <user> rmdir $dir
> <user> ln -s /target $dir
> <phusion> stat() (from verifyDirectoryPermissions)

> Upstream has now fixed this with the following commit (basically using
> the structure from lstat() for the two checks):
> https://github.com/phusion/passenger/commit/94428057c602da3d6d34ef75c78091066ecac5c0

Use CVE-2014-1831 for the vulnerability with the "before 4.0.33"
affected versions.

Use CVE-2014-1832 for the vulnerability with the "4.0.33 and earlier"
affected versions.

This is an unusual situation because it depends on a decision about
whether the fix in version 4.0.33 solves part of the problem or
addresses one of the threat models. It also depends on whether two
CVEs should be used to cover a set of reports that are only relevant
to symlink attacks, but arguably have different flaw types.

CVE-2014-1831 requires the ability to create a symlink but apparently
does not require the ability to conduct the described race-condition
attack. The attacker could lack direct shell access, but have some
type of slow or limited access to the system. This could potentially
involve the ability to upload and run scripts that can create symlinks
but can't execute arbitrary commands or code. Alternatively, the
attacker could have access to a file manager with the same
constraints.

Also, in some cases, multiple CVEs are used in the case of a single
original report of a symlink-handling problem, e.g., CVE-2008-1569 and
CVE-2008-1570.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS6l9uAAoJEKllVAevmvmsj9oH/RlmH2kO7M1WIIvuD3FlH1SD
Fe0bqmWlVQRR77Q61IS7trfCd88sSTiyWZAm7g8EJn6Prct6AGAIH1tE0EaPbzm1
VrCcxPXJh42LPDNv0p+4ug9CjjWLVhj8cHP/T50M5bgRbbj/EKF4CbkHsDxdLtf8
crpDsvQVTZLS2d2460tCe3gjVk0Ew2bP99PgW0p7NHz4IbbwL2mX/1L0shUqMnkB
UAJW1YSU1n5sAX37iz49Neyw5ptqrXsFcZNvqyuW5ch+LBnMKg8fcgg6t78ATqBE
1bw1HMSPyXhmmajk1ED/+8qc4+wMe0/iqItiVQQTO/JqL3qMGr+1rmGbLkPH43U=
=5HHG
-----END PGP SIGNATURE-----

Message #21 received at 736958@bugs.debian.org (full text, mbox, reply):

From: Tomas Hoger <thoger@redhat.com>

To: oss-security@lists.openwall.com

Cc: cve-assign@mitre.org, vdanen@redhat.com, geissert@debian.org, support@phusion.nl, jwilk@debian.org, 736958@bugs.debian.org

Subject: Re: [oss-security] Re: CVE request: temporary file issue in Passenger rubygem

Date: Mon, 3 Feb 2014 14:59:48 +0100

On Thu, 30 Jan 2014 09:26:33 -0500 (EST) cve-assign@mitre.org wrote:

> > If a local attacker can predict this filename, and precreates a
> > symlink with the same filename that points to an arbitrary directory
> > with mode 755, owner root and group root, then the attacker will
> > succeed in making Phusion Passenger write files and create
> > subdirectories inside that target directory.
> > 
> > It is fixed in upstream version 4.0.33.
> > 
> > https://github.com/phusion/passenger/commit/34b1087870c2bf85ebfd72c30b78577e10ab9744

...

> Use CVE-2014-1831 for the vulnerability with the "before 4.0.33"
> affected versions.
> 
> Use CVE-2014-1832 for the vulnerability with the "4.0.33 and earlier"
> affected versions.

Note that while the original CVE request mentions version 4.0.33, that
seems like a typo as upstream NEWS file indicates: Fixed versions:
4.0.37.  Consequently, the above should be "before 4.0.37" and "4.0.37
and earlier" (or "before 4.0.38").

-- 
Tomas Hoger / Red Hat Security Response Team

Message #28 received at 736958-close@bugs.debian.org (full text, mbox, reply):

From: Felix Geyer <fgeyer@debian.org>

To: 736958-close@bugs.debian.org

Subject: Bug#736958: fixed in ruby-passenger 4.0.37-1

Date: Sat, 08 Mar 2014 18:34:14 +0000

Source: ruby-passenger
Source-Version: 4.0.37-1

We believe that the bug you reported is fixed in the latest version of
ruby-passenger, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 736958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated ruby-passenger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 08 Mar 2014 18:15:49 +0100
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 4.0.37-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description: 
 libapache2-mod-passenger - Rails and Rack support for Apache2
 ruby-passenger - Rails and Rack support
 ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 736958
Changes: 
 ruby-passenger (4.0.37-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2014-1831: insecure use of /tmp. (Closes: #736958)
 .
   [ Cédric Boutillier ]
   * Move upstream GPG key into debian/upstream.
 .
   [ Felix Geyer ]
   * Make sure the build flags are used for all source files.
     - Export CFLAGS and CPPFLAGS as EXTRA_CFLAGS.
   * Don't mention nginx in the package description as it isn't actually
     supported in this package.
Checksums-Sha1: 
 0652a1834f597d9ce52c0c2e22e8d59ac80fe1fa 2460 ruby-passenger_4.0.37-1.dsc
 db3d21fdbb68403fc43a39de0ab485e8e0444922 4052133 ruby-passenger_4.0.37.orig.tar.gz
 c1735151c7bfbf6b3f72f4935459f04b85649d0a 14336 ruby-passenger_4.0.37-1.debian.tar.xz
 693d2f4885d39e650db454608b578769d0d9b18c 754052 ruby-passenger_4.0.37-1_amd64.deb
 78d00624961b566cb99eda9374135ff0e4eb3dfa 246586 libapache2-mod-passenger_4.0.37-1_amd64.deb
 12f2821d0a223544a4a5c7ef6dabf7626b6d1137 622580 ruby-passenger-doc_4.0.37-1_all.deb
Checksums-Sha256: 
 e84755a5142cb7bc445c633728d5e97b38402c78ce99269b358aeae0b2fadb81 2460 ruby-passenger_4.0.37-1.dsc
 37146232602f4f579e12e97221638eea88b9c4b6b27970ac5ad5a13a6144c80f 4052133 ruby-passenger_4.0.37.orig.tar.gz
 41522daf13340b48233c09fa26d3d9a5f5075cae1421ee619131ed1b7d766809 14336 ruby-passenger_4.0.37-1.debian.tar.xz
 941d70a42e5f70850e070b89051515e17dd73a4d1f2d4a9cda7682d45747c3f3 754052 ruby-passenger_4.0.37-1_amd64.deb
 bbfdc9a6d24ccb57014f01a04ed35451e6531e9a70293a9d94e2c5d1ca383aff 246586 libapache2-mod-passenger_4.0.37-1_amd64.deb
 52429ec90f90893a03e4a114d20cf305e6bb2ab53ab0cc4d30cce9ad0281bd27 622580 ruby-passenger-doc_4.0.37-1_all.deb
Files: 
 1158528d98da0cc4e4dcef5587938989 2460 ruby optional ruby-passenger_4.0.37-1.dsc
 4a7ba97c127b9923e752244e8ef954e4 4052133 ruby optional ruby-passenger_4.0.37.orig.tar.gz
 edc9ad4ec59b1dc73a241b699a756bbd 14336 ruby optional ruby-passenger_4.0.37-1.debian.tar.xz
 4f6f967d9af12ef87ec5747526b7350d 754052 ruby optional ruby-passenger_4.0.37-1_amd64.deb
 9cb49480a067a83163fe791aed5e15e4 246586 httpd optional libapache2-mod-passenger_4.0.37-1_amd64.deb
 418bca94ce3533cda6282aaf9822e43f 622580 doc optional ruby-passenger-doc_4.0.37-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTG11OAAoJEP4ixv2DE11FCe0QALFs3PhOYHjXoxpR8du0QfxT
5zy6/Bl0MrTUnGbyfh9Wvw9uKCoS09JFAm0fUTIRELU700RVg69SB/l4b+oZr9B9
YHlvdzWoAfBTAf3RsCBoqqYX9SUP2uNbJ/K1rwLFdqClml0d0+fS6ytyiUAjtNf2
0E6ia4S5I664boKpA5icl1GGsi140Up6juXqogs6pETkiVQMnzdSkjMu7OLvibUP
XpMS3fMY2yrxIsKGW+uQfqsIk+KsiswfpNz8xrkMFtxOFWgdmqSPAqpVYIwLyXOZ
1XYo7Cfw1qfrA5wxKdNOFEEPnQ929Y4ZnyUdaSJJ1vpChaaghtTy0v/P1C2GyC8M
kRBQLk0A51ICAatpFnVH6UGgAwgeMZ++OtCUMOccZGShSvUGTLxrKE15gr1sx8Mf
3lOuHKE/NuDZ7+cG2VrQC/foESFoS8nnvNW1dkSYhj7FrcYiWKdIbORbiBIUqFmI
syhqna6SZDj82YJ+eC9sLsdSpF5wpzepNqJVTwm7hkU33bGFNAePfsV9BDCG+TYz
BLjuF2/u74kvIbWuD/4QeXlz9dZ4ZJR0tdrp9b63vlKNzHsChmlIOgf6u3KF+0Ua
BUk1dXfYcuMfDD8NbnZ9mSEjIylrutdOqLnvnOmVkeorCti4DAcsqAtToUWUmLKt
gIzpwWtppPbvZIbvg7o8
=6IHI
-----END PGP SIGNATURE-----

Message #33 received at 736958-close@bugs.debian.org (full text, mbox, reply):

From: Felix Geyer <fgeyer@debian.org>

To: 736958-close@bugs.debian.org

Subject: Bug#736958: fixed in ruby-passenger 3.0.13debian-1+deb7u2

Date: Sun, 16 Mar 2014 18:47:10 +0000

Source: ruby-passenger
Source-Version: 3.0.13debian-1+deb7u2

We believe that the bug you reported is fixed in the latest version of
ruby-passenger, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 736958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated ruby-passenger package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 08 Mar 2014 19:42:03 +0100
Source: ruby-passenger
Binary: ruby-passenger libapache2-mod-passenger ruby-passenger-doc
Architecture: source amd64 all
Version: 3.0.13debian-1+deb7u2
Distribution: wheezy
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description: 
 libapache2-mod-passenger - Rails and Rack support for Apache2
 ruby-passenger - Rails and Rack support for Apache2 and Nginx
 ruby-passenger-doc - Rails and Rack support for Apache2 - Documentation
Closes: 736958
Changes: 
 ruby-passenger (3.0.13debian-1+deb7u2) wheezy; urgency=medium
 .
   * Fix CVE-2014-1831 and CVE-2014-1832: insecure use of /tmp.
     (Closes: #736958)
     - Backport upstream commits in CVE-2014-1831.patch and CVE-2014-1832.patch
Checksums-Sha1: 
 02940bbb7453de81410789d9c7095c55a5227433 2508 ruby-passenger_3.0.13debian-1+deb7u2.dsc
 6a070aa0ba9dd8bc2f0edb80e1f90273b61549b9 17618 ruby-passenger_3.0.13debian-1+deb7u2.debian.tar.gz
 c7c82425a56e27a32a530a80cfa1d0f996ff896a 1583084 ruby-passenger_3.0.13debian-1+deb7u2_amd64.deb
 8fa305048b66c52ac25bfd3fefca662070cc2659 246948 libapache2-mod-passenger_3.0.13debian-1+deb7u2_amd64.deb
 0a006a16e9e8f7d96b7454ef99a704316db420f3 411330 ruby-passenger-doc_3.0.13debian-1+deb7u2_all.deb
Checksums-Sha256: 
 d8d8926a2aee78b5e8ebd73bce9b150efe29cadb1a6d54b43ac2a3dfc947a65d 2508 ruby-passenger_3.0.13debian-1+deb7u2.dsc
 74426f66efee39d24004b914cbb7deb317077de1eca457f34bcc909574e9f311 17618 ruby-passenger_3.0.13debian-1+deb7u2.debian.tar.gz
 cfb7a41bac753987c31d3121009c6370acb6f9f6c8fce5908bb10ce6320beabb 1583084 ruby-passenger_3.0.13debian-1+deb7u2_amd64.deb
 111abea369a4c70c0041d644e1c90a94ba7ea7dce17908b35852368e523d2177 246948 libapache2-mod-passenger_3.0.13debian-1+deb7u2_amd64.deb
 64cbd4337f6fadfc2f38320f49e5cb202a4873bea0af4a2e859a4ea0d2586b75 411330 ruby-passenger-doc_3.0.13debian-1+deb7u2_all.deb
Files: 
 374dec559315f5443528fd2bcf7565c8 2508 ruby optional ruby-passenger_3.0.13debian-1+deb7u2.dsc
 e46abb1581eacf212e44aac7d83c1e07 17618 ruby optional ruby-passenger_3.0.13debian-1+deb7u2.debian.tar.gz
 7e7e695ac1ba0a8c713802e8522581c8 1583084 ruby optional ruby-passenger_3.0.13debian-1+deb7u2_amd64.deb
 9e9b1a4e587631503ee73de7ec5953f8 246948 web optional libapache2-mod-passenger_3.0.13debian-1+deb7u2_amd64.deb
 a6a767c60687369d040d152710fa53cc 411330 doc optional ruby-passenger-doc_3.0.13debian-1+deb7u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTIJmvAAoJEP4ixv2DE11F4VoP/2OND1x5xeO2dKRCtOE9kKGJ
fUZCT4JQFO0haXIPAAh5g9htKfZB2rxTIQalfQNxI/YC4OtCkBMXm80bBQbHStht
XWQtsNo2x0FI8TRq9WfgQah4k54EKgih0E0qAicdLxDoNau41okiAS7oAlao9KyN
Ps9iGZsZwXuokGo+xvnLxYdQkHpMNGZRaHL+QckB5+A+yqkmbT/ykhfjNDJ8G+4m
yFnOiIeV+eerIjV49jqbTlPl8iD+6UI+UZZqSjukhsxRzrXCw3vRw/s3xPf7vuNd
6sYUSQHPiHoi5tRDP49upE3M5CovsGBfsJ7h4VEKhVB6ysrnHUikd9WDPUKQIKW+
AR8hrhOJLe8sXnqr69Noq1oQW+GEQ4g8qTQm+40oKEjz8drUcnffNHZphgCAi0O/
HgFbfuxEJsWmnJHzMwY+RfcfapLjYgGKLNUkKB+1R3j+c8Smx8TkphbQuKfzVVR6
7J+c5OtvzjG2fwrdXzaukq04c4lflRT61OKf4+yGrcqKCV3eKn7Utf4GBtRqwL69
K+2I5Bu24RpoO9S+FU4MurAUmwqGhYOyz+XfkPjz4uhamzm+xm2iqgCArNFGyGSx
EY7jT/Hq9Ao4pNvIy4MURzCvTm8z+vQiYYbfBTq7JETpDZQtH9nRkv+94HuzJqiN
futGddv4xJaeHPvLJH5N
=UU8G
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.