On 13.10.2016 22:22, Paul Szabo wrote: > Package: tomcat8 > Version: 8.0.14-1+deb8u3 > Severity: critical > Tags: security > Justification: root security hole > > > [ I contacted t...@security.debian.org about this, but no response ... ]
I am CCing the security team in case they want to chime in here. > > Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so: > > ... > NAME=tomcat8 > ... > JVM_TMP=/tmp/tomcat8-$NAME-tmp > ... > # Remove / recreate JVM_TMP directory > rm -rf "$JVM_TMP" > mkdir -p "$JVM_TMP" || { > log_failure_msg "could not create JVM temporary > directory" > exit 1 > } > chown $TOMCAT8_USER "$JVM_TMP" > ... No, we did not modify this part in /etc/init.d/tomcat8. We fixed CVE-2016-1240 by applying this patch https://anonscm.debian.org/cgit/pkg-java/tomcat8.git/commit/?h=jessie&id=9a9fd4f1cae13304beed6d4e445d1be8a3917fe0 > That suffers from a TOCTOU race condition. > > An attacker can, after the "rm -rf", create a symlink to /etc. Then > "mkdir -p" returns success (though does nothing); and chown follows > the symlink. That is "game over": ability to replace /etc/passwd. > > The attacker can use inotify and act quickly, and have a good chance > of winning the race to create the symlink before the init.d script > starts a new mkdir process. > > Do you need some working PoC code? I don't understand how this affects our solution for CVE-2016-1240. If you claim this is a new issue, then more information and a working proof of concept code are appreciated. Please send them to the security team first and not to a public mailing list.
signature.asc
Description: OpenPGP digital signature