Your message dated Mon, 19 Dec 2022 20:49:54 +0000 with message-id <e1p7n58-000mr8...@fasolo.debian.org> and subject line Bug#1023688: fixed in fcgiwrap 1.1.0-14 has caused the Debian Bug report #1023688, regarding improper permissions on fcgiwrap systemd socket lead to privilege escalation to www-data under default config to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1023688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023688 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: fcgiwrap Version: 1.1.0-12 Severity: critical Tags: patch, security On a default installation of Debian 11 (bullseye) with other releases probably also affected, systemd socket file /lib/systemd/system/fcgiwrap.socket from package fcgiwrap contains no Mode= configuration parameter, making systemd pick the default 0666. The socket is therefore world accessible and any user on the system may, when package fcgiwrap is installed, elevate privileges and execute code as www-data user by communicating with the socket via fastcgi protocol. www-data is specified as User= and Group= in /lib/systemd/system/fcgiwrap.service, also supplied by package fcgiwrap. Proof of concept terminal recording: http://upload.sijanec.eu/f.mp4 Solution: add SocketMode=0660, SocketUser=www-data, Group=www-data to /lib/systemd/system/fcgiwrap.socket --- this would, however, break existing configurations that rely on /run/fcgiwrap.socket being world connectable. Is this intended behaviour? Doesn't it break user's expectations, as suddenly everyone can influence httpd (nginx slaves also run under www-data, for example)? ----- BEGIN PATCH ----- Author: Anton Luka Šijanec <an...@sijanec.eu> Description: Modify default user/group and listening mode of socket Forwarded: no --- a/systemd/fcgiwrap.socket +++ b/systemd/fcgiwrap.socketfixed @@ -3,6 +3,9 @@ Description=fcgiwrap Socket [Socket] ListenStream=/run/fcgiwrap.sock +Mode=0660 +SocketUser=www-data +SockerGroup=www-data [Install] WantedBy=sockets.target ----- END PATCH ----- Attachments: root@host:~# ls -lah /run/fcgiwrap.socket srw-rw-rw- 1 root root 0 Nov 8 19:42 /run/fcgiwrap.socket => /lib/systemd/system/fcgiwrap.socket [Unit] Description=fcgiwrap Socket [Socket] ListenStream=/run/fcgiwrap.socket [Install] WantedBy=sockets.target => /lib/systemd/system/fcgiwrap.service [Unit] Description=Simple CGI Server After=nss-user-lookup.target Requires=fcgiwrap.socket [Service] Environment=DAEMON_OPTS=-f EnvironmentFile=-/etc/default/fcgiwrap ExecStart=/usr/sbin/fcgiwrap ${DAEMON_OPTS} User=www-data Group=www-data [Install] Also=fcgiwrap.socket -- Anton Luka Šijanec <an...@sijanec.eu> F4C3E3A4DFB7254397A9F993E76135F49802CD14 http://splet.sijanec.eu/pgp-key.txt
--- End Message ---
--- Begin Message ---Source: fcgiwrap Source-Version: 1.1.0-14 Done: Jordi Mallach <jo...@debian.org> We believe that the bug you reported is fixed in the latest version of fcgiwrap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1023...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jordi Mallach <jo...@debian.org> (supplier of updated fcgiwrap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 17 Dec 2022 18:23:54 +0100 Source: fcgiwrap Architecture: source Version: 1.1.0-14 Distribution: unstable Urgency: medium Maintainer: Debian fcgiwrap Maintainers <team+fcgiw...@tracker.debian.org> Changed-By: Jordi Mallach <jo...@debian.org> Closes: 1023688 1026251 Changes: fcgiwrap (1.1.0-14) unstable; urgency=medium . * Brown paper bag release. * Fix typo in systemd socket definition which actually made the security fixes in -13 not effective (closes: #1023688, #1026251). Checksums-Sha1: a0d295b6eb4eeae6938ef7e78cde5179b53556e6 2062 fcgiwrap_1.1.0-14.dsc 2e22a5dbc9128ae0fb943b0f869b1939b4c3281e 12036 fcgiwrap_1.1.0-14.debian.tar.xz 5fcbd79df419e80d178e8c8923279789b034ef80 6764 fcgiwrap_1.1.0-14_amd64.buildinfo Checksums-Sha256: 62e1e2d44605b09142dcfad074d67a1f9dcbc6085cb92cab432037aed98225eb 2062 fcgiwrap_1.1.0-14.dsc 0553d9b7d4382d2ce0e61b0c50df1453be0da60dded23ad8e418a320a839ae63 12036 fcgiwrap_1.1.0-14.debian.tar.xz 18e77df86de8cd94d3fef0c32cbe9919db7dbb4053a2156ab82da5a402726c1c 6764 fcgiwrap_1.1.0-14_amd64.buildinfo Files: 0d65c6e5e980e61e2466aeec1ad94795 2062 web optional fcgiwrap_1.1.0-14.dsc b06153c8599f2f58884d26556c5023ac 12036 web optional fcgiwrap_1.1.0-14.debian.tar.xz 0a32330f444832a4d62cda03915af605 6764 web optional fcgiwrap_1.1.0-14_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6BdUhsApKYN8KGoWJVAvb8vjywQFAmOd/IgACgkQJVAvb8vj ywSeORAAm8ECjsfum9lwjMmSqiz72iPhs6yctfW0sT57u1UpE0oo7NW7YKDHhBq/ 1CBsVm4BiMg3xP1+cXfZJFLOWFEVb0NfjmucdmsKqvBcjBwQWyOiXwzDHfBFkO2X McPozhLgxKhHojHnBt2vjp185uKfx6S7lde0ARm1ihkp4/xTABWBKglVlOetFf50 TcTV/irqhbXNOKdtEQNWrv1Bfijlt/bJrJG+7fn7Df8LX05WYsggnLwZofNSMkVC CpW2Ma2hQuozXOiQ+uu8ZYz4oIqIxeh4uqKnqCgL3tRAQN5DC05rjjyPhhtbJB16 SjMgYzNZfXXV7Nqr93TAISZlqY3KwhVXg9EJBt//6DgfOTO6gGBXV02yxSDp0OXI OiOqZFkjJFzebwc0Aq6ctiAu+bwOoTEq5aBtoHvduWIOy2usVc1Rq+DR868OEvTU E4uXcOw/k4tOlfsgjcJvf36HOvPHGRidVd5HXWzipAXggbUoF4Z7pWsM1kZr+KAx c/IqQ8vu5QvMjJgvkSbXlJZK3tgiT4PllJTlFY7nzB3Jja0XBEbElfrB+iYr8GWe ikijlLuKKBb6TL1BjbpmbfQuiky/FaxXY+2Kk6uS8LhYW7PZ5EV0+qzhVk7ThDO0 eOF4rVVYh7H/lQ/mwJXMXwe2eR4VWXbs8BNC3nOgB0IJAqRkzeU= =Zg6o -----END PGP SIGNATURE-----
--- End Message ---
