Hi, On Fri, Feb 08, 2019 at 10:50:41PM +0100, Moritz Muehlenhoff wrote: > Source: passenger > Severity: grave > Tags: security > > This was assigned CVE-2018-12029: > https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ > https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86
I think this issue should be lowered to minor or normal as it to fix the issue specifically in the nginx module, which AFAICS is not build in the Debian build. Do I miss something? I have a NMU for the current two passenger issues, which still includes the changes for CVE-2018-12029. Regards, Salvatore
diff -Nru passenger-5.0.30/debian/changelog passenger-5.0.30/debian/changelog --- passenger-5.0.30/debian/changelog 2016-08-21 19:24:14.000000000 +0200 +++ passenger-5.0.30/debian/changelog 2019-03-16 08:54:26.000000000 +0100 @@ -1,3 +1,13 @@ +passenger (5.0.30-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * arbitrary file read via REVISION symlink (CVE-2017-16355) + (Closes: #884463) + * Fix privilege escalation in the Nginx module (CVE-2018-12029) + (Closes: #921767) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 16 Mar 2019 08:54:26 +0100 + passenger (5.0.30-1) unstable; urgency=medium * New upstream release. diff -Nru passenger-5.0.30/debian/patches/CVE-2017-16355.patch passenger-5.0.30/debian/patches/CVE-2017-16355.patch --- passenger-5.0.30/debian/patches/CVE-2017-16355.patch 1970-01-01 01:00:00.000000000 +0100 +++ passenger-5.0.30/debian/patches/CVE-2017-16355.patch 2019-03-16 08:48:13.000000000 +0100 @@ -0,0 +1,73 @@ +From: "Daniel Knoppel (Phusion)" <dan...@phusion.nl> +Date: Wed, 11 Oct 2017 15:55:07 +0200 +Subject: arbitrary file read via REVISION symlink +Origin: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf, + https://github.com/phusion/passenger/commit/947af424330f5d5f5006860b2f0140bbba153e42 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16355 +Bug-Debian: https://bugs.debian.org/884463 + +[carnil: false is actually a defined macro, but the key part of the fix is the emoval of the call to inferApplicationInfo() to adress the issue. +--- + src/agent/Core/SpawningKit/Spawner.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/src/agent/Core/SpawningKit/Spawner.h ++++ b/src/agent/Core/SpawningKit/Spawner.h +@@ -719,7 +719,6 @@ protected: + prepareChroot(info, options); + info.userSwitching = prepareUserSwitching(options); + prepareSwitchingWorkingDirectory(info, options); +- inferApplicationInfo(info); + return info; + } + +@@ -773,49 +772,6 @@ protected: + assert(info.appRootPathsInsideChroot.back() == info.appRootInsideChroot); + } + +- void inferApplicationInfo(SpawnPreparationInfo &info) const { +- info.codeRevision = readFromRevisionFile(info); +- if (info.codeRevision.empty()) { +- info.codeRevision = inferCodeRevisionFromCapistranoSymlink(info); +- } +- } +- +- string readFromRevisionFile(const SpawnPreparationInfo &info) const { +- string filename = info.appRoot + "/REVISION"; +- try { +- if (fileExists(filename)) { +- return strip(readAll(filename)); +- } +- } catch (const SystemException &e) { +- P_WARN("Cannot access " << filename << ": " << e.what()); +- } +- return string(); +- } +- +- string inferCodeRevisionFromCapistranoSymlink(const SpawnPreparationInfo &info) const { +- if (extractBaseName(info.appRoot) == "current") { +- char buf[PATH_MAX + 1]; +- ssize_t ret; +- +- do { +- ret = readlink(info.appRoot.c_str(), buf, PATH_MAX); +- } while (ret == -1 && errno == EINTR); +- if (ret == -1) { +- if (errno == EINVAL) { +- return string(); +- } else { +- int e = errno; +- P_WARN("Cannot read symlink " << info.appRoot << ": " << strerror(e)); +- } +- } +- +- buf[ret] = '\0'; +- return extractBaseName(buf); +- } else { +- return string(); +- } +- } +- + bool shouldLoadShellEnvvars(const Options &options, const SpawnPreparationInfo &preparation) const { + if (options.loadShellEnvvars) { + string shellName = extractBaseName(preparation.userSwitching.shell); diff -Nru passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch --- passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch 1970-01-01 01:00:00.000000000 +0100 +++ passenger-5.0.30/debian/patches/Fix-privilege-escalation-in-the-Nginx-module.patch 2019-03-16 08:51:30.000000000 +0100 @@ -0,0 +1,52 @@ +From: Camden Narzt <c.na...@me.com> +Date: Mon, 14 May 2018 08:34:12 -0600 +Subject: Fix privilege escalation in the Nginx module +Origin: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-12029 +Bug-Debian: https://bugs.debian.org/921767 + +The vulnerability is exploitable with a non-standard +passenger_instance_registry_dir, via a race condition where after a file +was created, it was chowned via the path not the file descriptor. + +The chown entered the code in 2010, so Passenger 4 + 5 all affected. +--- + src/nginx_module/ngx_http_passenger_module.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/src/nginx_module/ngx_http_passenger_module.c ++++ b/src/nginx_module/ngx_http_passenger_module.c +@@ -186,7 +186,7 @@ starting_watchdog_after_fork(void *param + } + + static ngx_int_t +-create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len) { ++create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len, uid_t uid, gid_t gid) { + FILE *f; + int ret; + size_t total_written = 0, written; +@@ -201,6 +201,9 @@ create_file(ngx_cycle_t *cycle, const u_ + ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + } while (ret == -1 && errno == EINTR); + do { ++ ret = fchown(fileno(f), uid, gid); ++ } while (ret == -1 && errno == EINTR); ++ do { + written = fwrite(contents + total_written, 1, + len - total_written, f); + total_written += written; +@@ -327,13 +330,10 @@ start_watchdog(ngx_cycle_t *cycle) { + "%s/web_server_control_process.pid", + psg_watchdog_launcher_get_instance_dir(psg_watchdog_launcher, NULL)); + *last = (u_char) '\0'; +- if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) { ++ if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) core_conf->user, (gid_t) -1) != NGX_OK) { + result = NGX_ERROR; + goto cleanup; + } +- do { +- ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) -1); +- } while (ret == -1 && errno == EINTR); + if (ret == -1) { + result = NGX_ERROR; + goto cleanup; diff -Nru passenger-5.0.30/debian/patches/series passenger-5.0.30/debian/patches/series --- passenger-5.0.30/debian/patches/series 2016-04-06 21:35:40.000000000 +0200 +++ passenger-5.0.30/debian/patches/series 2019-03-16 08:51:09.000000000 +0100 @@ -1,3 +1,5 @@ fix_install_path.patch bin_load_path.patch nodejs_bin_name.patch +CVE-2017-16355.patch +Fix-privilege-escalation-in-the-Nginx-module.patch
