rpms / rubygem-passenger

Clone
Source Code
GIT

Blame rubygem-passenger-3.0.21-CVE-2013-4136-tmp-directory.patch

el5 el6 epel7 f17 f18 f19 f20 f21 main rawhide
  1.   8fdb53f8c687d19ce939d18ac303f88470e5bc9b
  2.   rubygem-passenger-3.0.21-CVE-2013-4136-tmp-directory.patch
Blob History Raw
b577e34 
diff -urp passenger-release-3.0.21.orig/ext/common/LoggingAgent/Main.cpp passenger-release-3.0.21/ext/common/LoggingAgent/Main.cpp
b577e34 
--- passenger-release-3.0.21.orig/ext/common/LoggingAgent/Main.cpp	2013-05-29 07:09:31.000000000 -0500
b577e34 
+++ passenger-release-3.0.21/ext/common/LoggingAgent/Main.cpp	2013-07-18 09:35:47.514433743 -0500
b577e34 
@@ -265,11 +265,6 @@ main(int argc, char *argv[]) {
b577e34 
 		ev::sig sigtermWatcher(eventLoop);
b577e34 
 		ev::sig sigquitWatcher(eventLoop);
b577e34
b577e34 
-		if (feedbackFdAvailable()) {
b577e34 
-			feedbackFdWatcher.set<&feedbackFdBecameReadable>();
b577e34 
-			feedbackFdWatcher.start(FEEDBACK_FD, ev::READ);
b577e34 
-			writeArrayMessage(FEEDBACK_FD, "initialized", NULL);
b577e34 
-		}
b577e34 
 		sigintWatcher.set<&caughtExitSignal>();
b577e34 
 		sigintWatcher.start(SIGINT);
b577e34 
 		sigtermWatcher.set<&caughtExitSignal>();
b577e34 
@@ -281,6 +276,11 @@ main(int argc, char *argv[]) {
b577e34 
 		/********** Initialized! Enter main loop... **********/
b577e34
b577e34 
 		P_DEBUG("Logging agent online, listening at " << socketAddress);
b577e34 
+		if (feedbackFdAvailable()) {
b577e34 
+			feedbackFdWatcher.set<&feedbackFdBecameReadable>();
b577e34 
+			feedbackFdWatcher.start(FEEDBACK_FD, ev::READ);
b577e34 
+			writeArrayMessage(FEEDBACK_FD, "initialized", NULL);
b577e34 
+		}
b577e34 
 		ev_loop(eventLoop, 0);
b577e34 
 		return exitCode;
b577e34 
 	} catch (const tracable_exception &e) {
b577e34 
diff -urp passenger-release-3.0.21.orig/ext/common/ServerInstanceDir.h passenger-release-3.0.21/ext/common/ServerInstanceDir.h
b577e34 
--- passenger-release-3.0.21.orig/ext/common/ServerInstanceDir.h	2013-05-29 07:09:31.000000000 -0500
b577e34 
+++ passenger-release-3.0.21/ext/common/ServerInstanceDir.h	2013-07-18 09:38:54.431808622 -0500
b577e34 
@@ -30,6 +30,7 @@
b577e34 
 #include <oxt/backtrace.hpp>
b577e34
b577e34 
 #include <sys/types.h>
b577e34 
+#include <sys/stat.h>
b577e34 
 #include <dirent.h>
b577e34 
 #include <unistd.h>
b577e34 
 #include <pwd.h>
b577e34 
@@ -38,6 +39,7 @@
b577e34 
 #include <cstring>
b577e34 
 #include <string>
b577e34
b577e34 
+#include <Logging.h>
b577e34 
 #include "Exceptions.h"
b577e34 
 #include "Utils.h"
b577e34 
 #include "Utils/StrIntUtils.h"
b577e34 
@@ -217,7 +219,69 @@ private:
b577e34 
 		 * rights though, because we want admin tools to be able to list the available
b577e34 
 		 * generations no matter what user they're running as.
b577e34 
 		 */
b577e34 
-		makeDirTree(path, "u=rwxs,g=rx,o=rx");
b577e34 
+		if (owner) {
b577e34 
+			switch (getFileType(path)) {
b577e34 
+			case FT_NONEXISTANT:
b577e34 
+				createDirectory(path);
b577e34 
+				break;
b577e34 
+			case FT_DIRECTORY:
b577e34 
+				verifyDirectoryPermissions(path);
b577e34 
+				break;
b577e34 
+			default:
b577e34 
+				throw RuntimeException("'" + path + "' already exists, and is not a directory");
b577e34 
+			}
b577e34 
+		} else if (getFileType(path) != FT_DIRECTORY) {
b577e34 
+			throw RuntimeException("Server instance directory '" + path +
b577e34 
+				"' does not exist");
b577e34 
+		}
b577e34 
+	}
b577e34 
+
b577e34 
+	void createDirectory(const string &path) const {
b577e34 
+		// We do not use makeDirTree() here. If an attacker creates a directory
b577e34 
+		// just before we do, then we want to abort because we want the directory
b577e34 
+		// to have specific permissions.
b577e34 
+		if (mkdir(path.c_str(), parseModeString("u=rwx,g=rx,o=rx")) == -1) {
b577e34 
+			int e = errno;
b577e34 
+			throw FileSystemException("Cannot create server instance directory '" +
b577e34 
+				path + "'", e, path);
b577e34 
+		}
b577e34 
+		// verifyDirectoryPermissions() checks for the owner/group so we must make
b577e34 
+		// sure the server instance directory has that owner/group, even when the
b577e34 
+		// parent directory has setgid on.
b577e34 
+		if (chown(path.c_str(), geteuid(), getegid()) == -1) {
b577e34 
+			int e = errno;
b577e34 
+			throw FileSystemException("Cannot change the permissions of the server "
b577e34 
+				"instance directory '" + path + "'", e, path);
b577e34 
+		}
b577e34 
+	}
b577e34 
+
b577e34 
+	/**
b577e34 
+	 * When reusing an existing server instance directory, check permissions
b577e34 
+	 * so that an attacker cannot pre-create a directory with too liberal
b577e34 
+	 * permissions.
b577e34 
+	 */
b577e34 
+	void verifyDirectoryPermissions(const string &path) {
b577e34 
+		TRACE_POINT();
b577e34 
+		struct stat buf;
b577e34 
+
b577e34 
+		if (stat(path.c_str(), &buf) == -1) {
b577e34 
+			int e = errno;
b577e34 
+			throw FileSystemException("Cannot stat() " + path, e, path);
b577e34 
+		} else if (buf.st_mode != (S_IFDIR | parseModeString("u=rwx,g=rx,o=rx"))) {
b577e34 
+			throw RuntimeException("Tried to reuse existing server instance directory " +
b577e34 
+				path + ", but it has wrong permissions");
b577e34 
+		} else if (buf.st_uid != geteuid() || buf.st_gid != getegid()) {
b577e34 
+			/* The server instance directory is always created by the Watchdog. Its UID/GID never
b577e34 
+			 * changes because:
b577e34 
+			 * 1. Disabling user switching only lowers the privilege of the HelperAgent.
b577e34 
+			 * 2. For the UID/GID to change, the web server must be completely restarted
b577e34 
+			 *    (not just graceful reload) so that the control process can change its UID/GID.
b577e34 
+			 *    This causes the PID to change, so that an entirely new server instance
b577e34 
+			 *    directory is created.
b577e34 
+			 */
b577e34 
+			throw RuntimeException("Tried to reuse existing server instance directory " +
b577e34 
+				path + ", but it has wrong owner and group");
b577e34 
+		}
b577e34 
 	}
b577e34
b577e34 
 	bool isDirectory(const string &dir, struct dirent *entry) const {
b577e34 
diff -urp passenger-release-3.0.21.orig/NEWS passenger-release-3.0.21/NEWS
b577e34 
--- passenger-release-3.0.21.orig/NEWS	2013-05-29 07:09:31.000000000 -0500
b577e34 
+++ passenger-release-3.0.21/NEWS	2013-07-18 08:58:30.943558375 -0500
b577e34 
@@ -8,6 +8,7 @@ Release 3.0.21
b577e34 
  * Catch exceptions raised by Rack application objects.
b577e34 
  * Fix for CVE-2013-2119. Details can be found in the announcement for version 4.0.5.
b577e34 
  * Version 3.0.20 was pulled because its fixes were incomplete.
b577e34 
+ * Fix for CVE-2013-4136. Details can be found in the announcement for version 4.0.8.
b577e34
b577e34
b577e34 
 Release 3.0.19
b577e34 
diff -urp passenger-release-3.0.21.orig/test/cxx/ServerInstanceDirTest.cpp passenger-release-3.0.21/test/cxx/ServerInstanceDirTest.cpp
b577e34 
--- passenger-release-3.0.21.orig/test/cxx/ServerInstanceDirTest.cpp	2013-05-29 07:09:31.000000000 -0500
b577e34 
+++ passenger-release-3.0.21/test/cxx/ServerInstanceDirTest.cpp	2013-07-18 09:09:50.898433782 -0500
b577e34 
@@ -73,9 +73,11 @@ namespace tut {
b577e34 
 	}
b577e34
b577e34 
 	TEST_METHOD(5) {
b577e34 
-		// The destructor doesnn't remove the server instance directory if it
b577e34 
+		// The destructor doesn't remove the server instance directory if it
b577e34 
 		// wasn't created with the ownership flag or if it's been detached.
b577e34 
 		string path, path2;
b577e34 
+		makeDirTree(parentDir + "/passenger-test.1234");
b577e34 
+		makeDirTree(parentDir + "/passenger-test.5678");
b577e34 
 		{
b577e34 
 			ServerInstanceDir dir(1234, parentDir, false);
b577e34 
 			ServerInstanceDir dir2(5678, parentDir);
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.