Bug#748910: marked as done (CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode)

Debian Bug Tracking System Wed, 04 Jun 2014 05:46:37 -0700

Your message dated Wed, 04 Jun 2014 12:42:34 +0000
with message-id <e1wsawy-00073o...@franck.debian.org>
and subject line Bug#748910: fixed in mod-wsgi 3.3-2+deb6u1
has caused the Debian Bug report #748910,
regarding CVE-2014-0240: Possibility of local privilege escalation when using 
daemon, mode
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
748910: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748910
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libapache2-mod-wsgi
Version: 3.3-4
Severity: critical
Tags: security
Justification: root security hole

Dear Maintainer,

as far as I can tell, CVE-2014-0240 affects the stable package of
mod-wsgi. The
patch provided by the mod-wsgi team applies wih fuzzing to the source
shipped
by debian. If a kernel >= 2.6.0 and < 3.1.0 is installed, this issue might
allow local privilege escalation



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


-- 
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther

commit d9d5fea585b23991f76532a9b07de7fcd3b649f4
Author: Graham Dumpleton <graham.dumple...@gmail.com>
Date:   Wed May 21 16:16:47 2014 +1000

    Local privilege escalation when using daemon mode. (CVE-2014-0240)

diff --git a/mod_wsgi.c b/mod_wsgi.c
index 32b2903..3ef911b 100644
--- a/mod_wsgi.c
+++ b/mod_wsgi.c
@@ -10756,6 +10756,19 @@ static void wsgi_setup_access(WSGIDaemonProcess *daemon)
         ap_log_error(APLOG_MARK, WSGI_LOG_ALERT(errno), wsgi_server,
                      "mod_wsgi (pid=%d): Unable to change to uid=%ld.",
                      getpid(), (long)daemon->group->uid);
+
+        /*
+         * On true UNIX systems this should always succeed at
+         * this point. With certain Linux kernel versions though
+         * we can get back EAGAIN where the target user had
+         * reached their process limit. In that case will be left
+         * running as wrong user. Just exit on all failures to be
+         * safe. Don't die immediately to avoid a fork bomb.
+         */
+
+        sleep(20);
+
+        exit(-1);
     }
 
     /*

smime.p7s
Description: S/MIME Cryptographic Signature

--- End Message ---

--- Begin Message ---

Source: mod-wsgi
Source-Version: 3.3-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
mod-wsgi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 748...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Geyer <fge...@debian.org> (supplier of updated mod-wsgi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 21 May 2014 22:44:27 +0200
Source: mod-wsgi
Binary: libapache2-mod-wsgi libapache2-mod-wsgi-py3
Architecture: source amd64
Version: 3.3-2+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Debian Python Modules Team 
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Felix Geyer <fge...@debian.org>
Description: 
 libapache2-mod-wsgi - Python WSGI adapter module for Apache
 libapache2-mod-wsgi-py3 - Python 3 WSGI adapter module for Apache
Closes: 748910
Changes: 
 mod-wsgi (3.3-2+deb6u1) squeeze-security; urgency=high
 .
   * Fix possibility of local privilege escalation when using daemon mode.
     (Closes: #748910)
     - CVE-2014-0240
     - Backport upstream commit d9d5fea.
   * Fix possibility of disclosure via Content-Type response header.
     - CVE-2014-0242
     - Backport upstream commit b0a149c.
Checksums-Sha1: 
 2ae01a7649db41c1b98ff43f1dc0ec0af266ff85 1984 mod-wsgi_3.3-2+deb6u1.dsc
 f32d38e5d3ed5de1efd5abefb52678f833dc9166 117930 mod-wsgi_3.3.orig.tar.gz
 a8550dc297ccff8ed6ce9ca4489482d09369b7b1 9634 mod-wsgi_3.3-2+deb6u1.diff.gz
 0f0e3a843a3e52546d01a3e5e907d164a3e0309f 137214 
libapache2-mod-wsgi_3.3-2+deb6u1_amd64.deb
 bbed301bb1cb07fcc14b8953b73f498229fc7be6 78176 
libapache2-mod-wsgi-py3_3.3-2+deb6u1_amd64.deb
Checksums-Sha256: 
 cb255ec35759bab60f0387d9c693f1888c107a0a25018fcfdb47c7b1b0eb5e6e 1984 
mod-wsgi_3.3-2+deb6u1.dsc
 d96e1078990484cfe5579df1e95dc73f009495e9c3f9a066b0983650bd9e3243 117930 
mod-wsgi_3.3.orig.tar.gz
 d777d62b9159e4f561f400d1c9877a7887856139935852dee052a22c371cdafc 9634 
mod-wsgi_3.3-2+deb6u1.diff.gz
 94ad04a72ba3451a35870444609db369b8dc6fa59e6ca9e37a8819255e5e630f 137214 
libapache2-mod-wsgi_3.3-2+deb6u1_amd64.deb
 e4e4b01fb4beb42b9a9499d5d1190923c16e2f8636cdf7de0706eb03921e2eb4 78176 
libapache2-mod-wsgi-py3_3.3-2+deb6u1_amd64.deb
Files: 
 a5a87442f42d1d79bf3771b89c93162f 1984 httpd optional mod-wsgi_3.3-2+deb6u1.dsc
 6172bb2bbabcd0c25867c2bc06f99dbb 117930 httpd optional mod-wsgi_3.3.orig.tar.gz
 725bd1118990d6db57f5d21e8d1dcaee 9634 httpd optional 
mod-wsgi_3.3-2+deb6u1.diff.gz
 a8403a2ab34e293194e9253d737e5e8c 137214 httpd optional 
libapache2-mod-wsgi_3.3-2+deb6u1_amd64.deb
 e78ffb54d79a09e0fa583e5700f93584 78176 httpd optional 
libapache2-mod-wsgi-py3_3.3-2+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTfhkcAAoJEP4ixv2DE11FxCgQAK9g7MeIr086J9keAdq0Aoby
e2OO4V7HoYObnA6KJ99XihSa4LyAfU+QEe/6HxHMKjVdnToDLfS3+t79dQUHY73t
w431HtbjWKfF2WKAfbFycxhNTa39kuG/dXYaoZCpz0rDC1nybQMypMsOJ1M6gPVz
6YP4nmtqtIRbtPm8Rs3qsUT2J+c6sjuiKqSbKo85d+Cct7ItiTmAf9W62xNAZGfA
A6I/cr5nA8cG743CJ3csw9R8RzF6uothzgPo99F7ZkVXNaPm6dFQojspS44byf9u
iu1tfV0AAt9UWJEKxu6wy63TdPlkIn3Te1tVbAZoJ3Fdir4ml3Jhxs3gW2XwYFdb
pBnSTOoGv/L01pMRfB8Y8jvJcjKOBfbX9C9MQJMMo6mvu7HGDYXo+RYVg7BfqQJi
IecDjMINtQ+aKHzGPTVNT/MrzqRdQJl/3pyUy+8O2YtN+ozw597aUOaezr/iSaK1
qz9Xrbk/tZBCvvatRbLaa0BodV2+s/D2hK0BW47+chQF3zGYYPgIv8EoLcO2QeRx
xRxEXb2O58hOGfCUAzsR4ZYr2d+rvPtoNmSIp+ht4u4tDM+RRkaGFbizbVsAsaGf
z/CxGDH1weXEDJ7m5ww0QbxeQv/DC4tRnX38WHS9wycVYQX2azTLi2IS6zqwktsH
tWRm9LH95LueRa+XW1dz
=P3X9
-----END PGP SIGNATURE-----

--- End Message ---

Bug#748910: marked as done (CVE-2014-0240: Possibility of local privilege escalation when using daemon, mode)

Reply via email to