Bug#884463: passenger: CVE-2017-16355: arbitrary file read

Salvatore Bonaccorso Sat, 16 Mar 2019 01:46:09 -0700

Control: tags -1 + patch

Attaching proposed debdiff for NMU, but I'm awaiting confirmation in
#921767 to see if I miss something about the nginx module.


Regards,
Salvatore

diff -Nru passenger-5.0.30/debian/changelog passenger-5.0.30/debian/changelog
--- passenger-5.0.30/debian/changelog   2016-08-21 19:24:14.000000000 +0200
+++ passenger-5.0.30/debian/changelog   2019-03-16 08:54:26.000000000 +0100
@@ -1,3 +1,13 @@
+passenger (5.0.30-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * arbitrary file read via REVISION symlink (CVE-2017-16355)
+    (Closes: #884463)
+  * Fix privilege escalation in the Nginx module (CVE-2018-12029)
+    (Closes: #921767)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 16 Mar 2019 08:54:26 +0100
+
 passenger (5.0.30-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch 
passenger-5.0.30/debian/patches/CVE-2017-16355.patch
--- passenger-5.0.30/debian/patches/CVE-2017-16355.patch        1970-01-01 
01:00:00.000000000 +0100
+++ passenger-5.0.30/debian/patches/CVE-2017-16355.patch        2019-03-16 
08:48:13.000000000 +0100
@@ -0,0 +1,73 @@
+From: "Daniel Knoppel (Phusion)" <dan...@phusion.nl>
+Date: Wed, 11 Oct 2017 15:55:07 +0200
+Subject: arbitrary file read via REVISION symlink
+Origin: 
https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf,
+ 
https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16355
+Bug-Debian: https://bugs.debian.org/884463
+
+[carnil: false is actually a defined macro, but the key part of the fix is the 
emoval of the call to inferApplicationInfo() to adress the issue.
+---
+ src/agent/Core/SpawningKit/Spawner.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/agent/Core/SpawningKit/Spawner.h
++++ b/src/agent/Core/SpawningKit/Spawner.h
+@@ -719,7 +719,6 @@ protected:
+               prepareChroot(info, options);
+               info.userSwitching = prepareUserSwitching(options);
+               prepareSwitchingWorkingDirectory(info, options);
+-              inferApplicationInfo(info);
+               return info;
+       }
+ 
+@@ -773,49 +772,6 @@ protected:
+               assert(info.appRootPathsInsideChroot.back() == 
info.appRootInsideChroot);
+       }
+ 
+-      void inferApplicationInfo(SpawnPreparationInfo &info) const {
+-              info.codeRevision = readFromRevisionFile(info);
+-              if (info.codeRevision.empty()) {
+-                      info.codeRevision = 
inferCodeRevisionFromCapistranoSymlink(info);
+-              }
+-      }
+-
+-      string readFromRevisionFile(const SpawnPreparationInfo &info) const {
+-              string filename = info.appRoot + "/REVISION";
+-              try {
+-                      if (fileExists(filename)) {
+-                              return strip(readAll(filename));
+-                      }
+-              } catch (const SystemException &e) {
+-                      P_WARN("Cannot access " << filename << ": " << 
e.what());
+-              }
+-              return string();
+-      }
+-
+-      string inferCodeRevisionFromCapistranoSymlink(const 
SpawnPreparationInfo &info) const {
+-              if (extractBaseName(info.appRoot) == "current") {
+-                      char buf[PATH_MAX + 1];
+-                      ssize_t ret;
+-
+-                      do {
+-                              ret = readlink(info.appRoot.c_str(), buf, 
PATH_MAX);
+-                      } while (ret == -1 && errno == EINTR);
+-                      if (ret == -1) {
+-                              if (errno == EINVAL) {
+-                                      return string();
+-                              } else {
+-                                      int e = errno;
+-                                      P_WARN("Cannot read symlink " << 
info.appRoot << ": " << strerror(e));
+-                              }
+-                      }
+-
+-                      buf[ret] = '\0';
+-                      return extractBaseName(buf);
+-              } else {
+-                      return string();
+-              }
+-      }
+-
+       bool shouldLoadShellEnvvars(const Options &options, const 
SpawnPreparationInfo &preparation) const {
+               if (options.loadShellEnvvars) {
+                       string shellName = 
extractBaseName(preparation.userSwitching.shell);
diff -Nru 
passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
 
passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
--- 
passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch
  2019-03-16 08:51:30.000000000 +0100
@@ -0,0 +1,52 @@
+From: Camden Narzt <c.na...@me.com>
+Date: Mon, 14 May 2018 08:34:12 -0600
+Subject: Fix privilege escalation in the Nginx module
+Origin: 
https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12029
+Bug-Debian: https://bugs.debian.org/921767
+
+The vulnerability is exploitable with a non-standard
+passenger_instance_registry_dir, via a race condition where after a file
+was created, it was chowned via the path not the file descriptor.
+
+The chown entered the code in 2010, so Passenger 4 + 5 all affected.
+---
+ src/nginx_module/ngx_http_passenger_module.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/src/nginx_module/ngx_http_passenger_module.c
++++ b/src/nginx_module/ngx_http_passenger_module.c
+@@ -186,7 +186,7 @@ starting_watchdog_after_fork(void *param
+ }
+ 
+ static ngx_int_t
+-create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char 
*contents, size_t len) {
++create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char 
*contents, size_t len, uid_t uid, gid_t gid) {
+     FILE  *f;
+     int    ret;
+     size_t total_written = 0, written;
+@@ -201,6 +201,9 @@ create_file(ngx_cycle_t *cycle, const u_
+             ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+         } while (ret == -1 && errno == EINTR);
+         do {
++            ret = fchown(fileno(f), uid, gid);
++        } while (ret == -1 && errno == EINTR);
++        do {
+             written = fwrite(contents + total_written, 1,
+                 len - total_written, f);
+             total_written += written;
+@@ -327,13 +330,10 @@ start_watchdog(ngx_cycle_t *cycle) {
+                         "%s/web_server_control_process.pid",
+                         
psg_watchdog_launcher_get_instance_dir(psg_watchdog_launcher, NULL));
+     *last = (u_char) '\0';
+-    if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) {
++    if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) 
core_conf->user, (gid_t) -1) != NGX_OK) {
+         result = NGX_ERROR;
+         goto cleanup;
+     }
+-    do {
+-        ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) 
-1);
+-    } while (ret == -1 && errno == EINTR);
+     if (ret == -1) {
+         result = NGX_ERROR;
+         goto cleanup;
diff -Nru passenger-5.0.30/debian/patches/series 
passenger-5.0.30/debian/patches/series
--- passenger-5.0.30/debian/patches/series      2016-04-06 21:35:40.000000000 
+0200
+++ passenger-5.0.30/debian/patches/series      2019-03-16 08:51:09.000000000 
+0100
@@ -1,3 +1,5 @@
 fix_install_path.patch
 bin_load_path.patch
 nodejs_bin_name.patch
+CVE-2017-16355.patch
+Fix-privilege-escalation-in-the-Nginx-module.patch

Bug#884463: passenger: CVE-2017-16355: arbitrary file read

Reply via email to