Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Hi, On Wed, 8 May 2019 20:32:53 +0200 Salvatore Bonaccorso wrote: > Hi, > > [please always include team@security.d.o as so any team member can > reply] > I've got it, thanks. > On Wed, May 08, 2019 at 12:03:49PM +0900, Hideki Yamane wrote: > > Hi Salvatore, > > > > Can you follow his question? I guess debian revision should be > > 6.1.5-1+deb9u1, but others are okay. > > I think updating groonga via a future point release is enough for this > issue, can you go ahead for this route? (change the target > distribution to stretch instead of stretch-security for that). > Ok, I've uploaded. > In particular though I think the issue should be fixed in unstable and > buster, but I notice that testing has 9.0.0-1 and 9.0.1-1 did not > migrate. So either the release team will accept to unblock 9.0.1-1 or > buster would need a targeted fix as well via testing-proposed-updates, > cf. https://release.debian.org/buster/freeze_policy.html . I've filed as a unblock bug. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928715 Regards,
Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Hi, [please always include team@security.d.o as so any team member can reply] On Wed, May 08, 2019 at 12:03:49PM +0900, Hideki Yamane wrote: > Hi Salvatore, > > Can you follow his question? I guess debian revision should be > 6.1.5-1+deb9u1, but others are okay. I think updating groonga via a future point release is enough for this issue, can you go ahead for this route? (change the target distribution to stretch instead of stretch-security for that). In particular though I think the issue should be fixed in unstable and buster, but I notice that testing has 9.0.0-1 and 9.0.1-1 did not migrate. So either the release team will accept to unblock 9.0.1-1 or buster would need a targeted fix as well via testing-proposed-updates, cf. https://release.debian.org/buster/freeze_policy.html . Regards, Salvatore
Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Hi Salvatore,
Can you follow his question? I guess debian revision should be
6.1.5-1+deb9u1, but others are okay.
On Tue, 7 May 2019 23:15:58 +0900
Kentaro Hayashi wrote:
> I maintain Groonga package as a DM, so I want to fix #928304.
> But I've never uploaded package to stable before, so I need help
> to do it in a good manner.
>
> I've attached debdiff against current version.
> Is it ok to upload stretch-security?
diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog 2017-01-23 19:14:09.0 +0900
+++ groonga-6.1.5/debian/changelog 2019-05-07 22:33:11.0 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-2) stretch-security; urgency=medium
+
+ * debian/groonga-httpd.logrotate
+debian/groonga-server-gqtp.logrotate
+- Mitigate privilege escalation by changing the owner and group of logs
+ with "su" option. Reported by Wolfgang Hotwagner.
+ (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi Tue, 07 May 2019 22:33:11 +0900
+
groonga (6.1.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate
groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate2016-12-10
15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate2019-05-07
22:33:11.0 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/httpd/*.log {
+su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
-create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate
groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate 2016-12-10
15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate 2019-05-07
22:33:11.0 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/*-gqtp.log {
+su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
-create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-server-gqtp
Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Hi,
I maintain Groonga package as a DM, so I want to fix #928304.
But I've never uploaded package to stable before, so I need help
to do it in a good manner.
I've attached debdiff against current version.
Is it ok to upload stretch-security?
diff -Nru groonga-6.1.5/debian/changelog groonga-6.1.5/debian/changelog
--- groonga-6.1.5/debian/changelog 2017-01-23 19:14:09.0 +0900
+++ groonga-6.1.5/debian/changelog 2019-05-07 22:33:11.0 +0900
@@ -1,3 +1,13 @@
+groonga (6.1.5-2) stretch-security; urgency=medium
+
+ * debian/groonga-httpd.logrotate
+debian/groonga-server-gqtp.logrotate
+- Mitigate privilege escalation by changing the owner and group of logs
+ with "su" option. Reported by Wolfgang Hotwagner.
+ (Closes: #928304) (CVE-2019-11675)
+
+ -- Kentaro Hayashi Tue, 07 May 2019 22:33:11 +0900
+
groonga (6.1.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru groonga-6.1.5/debian/groonga-httpd.logrotate groonga-6.1.5/debian/groonga-httpd.logrotate
--- groonga-6.1.5/debian/groonga-httpd.logrotate 2016-12-10 15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-httpd.logrotate 2019-05-07 22:33:11.0 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/httpd/*.log {
+su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
-create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
diff -Nru groonga-6.1.5/debian/groonga-server-gqtp.logrotate groonga-6.1.5/debian/groonga-server-gqtp.logrotate
--- groonga-6.1.5/debian/groonga-server-gqtp.logrotate 2016-12-10 15:18:50.0 +0900
+++ groonga-6.1.5/debian/groonga-server-gqtp.logrotate 2019-05-07 22:33:11.0 +0900
@@ -1,11 +1,11 @@
/var/log/groonga/*-gqtp.log {
+su groonga groonga
daily
missingok
rotate 30
compress
delaycompress
notifempty
-create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-server-gqtp
Processed: Re: Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Processing control commands: > retitle -1 groonga-httpd: Privilege escalation due to insecure use of > logrotate (CVE-2019-11675) Bug #928304 [groonga-httpd] groonga-httpd: Privilege escalation due to insecure use of logrotate Changed Bug title to 'groonga-httpd: Privilege escalation due to insecure use of logrotate (CVE-2019-11675)' from 'groonga-httpd: Privilege escalation due to insecure use of logrotate'. -- 928304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928304 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Control: retitle -1 groonga-httpd: Privilege escalation due to insecure use of logrotate (CVE-2019-11675) On Wed, May 01, 2019 at 05:29:58PM +0200, Wolfgang Hotwagner wrote: > Package: groonga-httpd > Version: 6.1.5-1 > Severity: critical > Tags: security > Justification: root security hole > > Dear Maintainer, > > The path of the logdirectory of groonga-httpd can be manipulated by user > groonga: [...] MITRE has now assigned CVE-2019-11675 for this issue. Regards, Salvatore
Bug#928304: groonga-httpd: Privilege escalation due to insecure use of logrotate
Package: groonga-httpd
Version: 6.1.5-1
Severity: critical
Tags: security
Justification: root security hole
Dear Maintainer,
The path of the logdirectory of groonga-httpd can be manipulated by user
groonga:
ls -l /var/log/groonga
total 8
-rw-r--r-- 1 rootroot1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd
The files in /var/log/groonga/httpd/*.log are once a day rotated by
logrotate as user root with the following config:
/var/log/groonga/httpd/*.log {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 640 groonga groonga
sharedscripts
postrotate
. /etc/default/groonga-httpd
if [ x"$ENABLE" = x"yes" ]; then
/usr/bin/curl --silent --output /dev/null \
"http://127.0.0.1:10041/d/log_reopen";
fi
endscript
}
Due to logrotate is prone to a race-condition(see the link to my
blog below) it is possible for user "groonga" to replace the
directory /var/log/groonga/httpd with a symbolik link to any
directory(for example /etc/bash_completion.d). logrotate will place
files AS ROOT into /etc/bash_completition.d and set the owner and
group to "groonga.groonga". An attacker could simply place a
reverse-shell into this file. As soon as root logs in, a reverse
shell will be executed then.
You can find an exploit for this bug at my blog:
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
(This exploit won't work well with lvm or docker but works reliable
if the filesystem is directly on the disk)
Mitigation:
You could mitigate the problem by changing the owner and group of
/var/log/groonga to root, or by using the "su option" inside the
logrotate-configfile.
-- System Information:
Debian Release: 9.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages groonga-httpd depends on:
ii curl 7.52.1-5+deb9u9
ii groonga-server-common 6.1.5-1
ii init-system-helpers1.48
ii libc6 2.24-11+deb9u4
ii libgroonga06.1.5-1
ii libpcre3 2:8.39-3
ii libssl1.1 1.1.0j-1~deb9u1
ii lsb-base 9.20161125
ii zlib1g 1:1.2.8.dfsg-5
groonga-httpd recommends no packages.
groonga-httpd suggests no packages.
-- no debconf information
