[DRE-commits] [ruby-passenger] 05/05: Cherry-pick upstream commit to fix CVE-2014-1832.

Felix Geyer fgeyer at moszumanska.debian.org
Sat Mar 8 19:26:14 UTC 2014


This is an automated email from the git hooks/post-receive script.

fgeyer pushed a commit to branch master
in repository ruby-passenger.

commit f2265d9941c60ac9333b9917d93959bd6b93d48e
Author: Felix Geyer <fgeyer at debian.org>
Date:   Sat Mar 8 20:25:32 2014 +0100

    Cherry-pick upstream commit to fix CVE-2014-1832.
    
    * Cherry-pick upstream commit to fix CVE-2014-1832.
      The fix for CVE-2014-1831 was incomplete.
      - Add CVE-2014-1832.patch
---
 debian/changelog                   |   8 ++
 debian/patches/CVE-2014-1832.patch | 154 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 163 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 67ac62e..44591d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-passenger (4.0.37-2) unstable; urgency=medium
+
+  * Cherry-pick upstream commit to fix CVE-2014-1832.
+    The fix for CVE-2014-1831 was incomplete.
+    - Add CVE-2014-1832.patch
+
+ -- Felix Geyer <fgeyer at debian.org>  Sat, 08 Mar 2014 19:27:27 +0100
+
 ruby-passenger (4.0.37-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/CVE-2014-1832.patch b/debian/patches/CVE-2014-1832.patch
new file mode 100644
index 0000000..444a675
--- /dev/null
+++ b/debian/patches/CVE-2014-1832.patch
@@ -0,0 +1,154 @@
+From 94428057c602da3d6d34ef75c78091066ecac5c0 Mon Sep 17 00:00:00 2001
+From: "Hongli Lai (Phusion)" <hongli at phusion.nl>
+Date: Wed, 29 Jan 2014 14:19:25 +0100
+Subject: [PATCH] Fix a symlink-related security vulnerability.
+
+The fix in commit 34b10878 and contained a small attack time window in
+between two filesystem operations. This has been fixed.
+---
+ ext/common/ServerInstanceDir.h | 38 ++++++++++++++++++++++----------------
+ ext/common/Utils.cpp           | 29 -----------------------------
+ ext/common/Utils.h             |  6 ------
+ 4 files changed, 40 insertions(+), 51 deletions(-)
+
+diff --git a/ext/common/ServerInstanceDir.h b/ext/common/ServerInstanceDir.h
+index 8da3cf3..1315de5 100644
+--- a/ext/common/ServerInstanceDir.h
++++ b/ext/common/ServerInstanceDir.h
+@@ -1,6 +1,6 @@
+ /*
+  *  Phusion Passenger - https://www.phusionpassenger.com/
+- *  Copyright (c) 2010-2013 Phusion
++ *  Copyright (c) 2010-2014 Phusion
+  *
+  *  "Phusion Passenger" is a trademark of Hongli Lai & Ninh Bui.
+  *
+@@ -193,6 +193,9 @@ class ServerInstanceDir: public noncopyable {
+ 	
+ 	void initialize(const string &path, bool owner) {
+ 		TRACE_POINT();
++		struct stat buf;
++		int ret;
++
+ 		this->path  = path;
+ 		this->owner = owner;
+ 		
+@@ -212,18 +215,25 @@ class ServerInstanceDir: public noncopyable {
+ 		 * rights though, because we want admin tools to be able to list the available
+ 		 * generations no matter what user they're running as.
+ 		 */
++
++		do {
++			ret = lstat(path.c_str(), &buf);
++		} while (ret == -1 && errno == EAGAIN);
+ 		if (owner) {
+-			switch (getFileTypeNoFollowSymlinks(path)) {
+-			case FT_NONEXISTANT:
++			if (ret == 0) {
++				if (S_ISDIR(buf.st_mode)) {
++					verifyDirectoryPermissions(path, buf);
++				} else {
++					throw RuntimeException("'" + path + "' already exists, and is not a directory");
++				}
++			} else if (errno == ENOENT) {
+ 				createDirectory(path);
+-				break;
+-			case FT_DIRECTORY:
+-				verifyDirectoryPermissions(path);
+-				break;
+-			default:
+-				throw RuntimeException("'" + path + "' already exists, and is not a directory");
++			} else {
++				int e = errno;
++				throw FileSystemException("Cannot lstat '" + path + "'",
++					e, path);
+ 			}
+-		} else if (getFileType(path) != FT_DIRECTORY) {
++		} else if (!S_ISDIR(buf.st_mode)) {
+ 			throw RuntimeException("Server instance directory '" + path +
+ 				"' does not exist");
+ 		}
+@@ -259,14 +269,10 @@ class ServerInstanceDir: public noncopyable {
+ 	 * so that an attacker cannot pre-create a directory with too liberal
+ 	 * permissions.
+ 	 */
+-	void verifyDirectoryPermissions(const string &path) {
++	void verifyDirectoryPermissions(const string &path, struct stat &buf) {
+ 		TRACE_POINT();
+-		struct stat buf;
+ 
+-		if (stat(path.c_str(), &buf) == -1) {
+-			int e = errno;
+-			throw FileSystemException("Cannot stat() " + path, e, path);
+-		} else if (buf.st_mode != (S_IFDIR | parseModeString("u=rwx,g=rx,o=rx"))) {
++		if (buf.st_mode != (S_IFDIR | parseModeString("u=rwx,g=rx,o=rx"))) {
+ 			throw RuntimeException("Tried to reuse existing server instance directory " +
+ 				path + ", but it has wrong permissions");
+ 		} else if (buf.st_uid != geteuid() || buf.st_gid != getegid()) {
+diff --git a/ext/common/Utils.cpp b/ext/common/Utils.cpp
+index d1db8d6..1f3dec5 100644
+--- a/ext/common/Utils.cpp
++++ b/ext/common/Utils.cpp
+@@ -143,35 +143,6 @@
+ 	}
+ }
+ 
+-FileType
+-getFileTypeNoFollowSymlinks(const StaticString &filename) {
+-	struct stat buf;
+-	int ret;
+-	
+-	ret = lstat(filename.c_str(), &buf);
+-	if (ret == 0) {
+-		if (S_ISREG(buf.st_mode)) {
+-			return FT_REGULAR;
+-		} else if (S_ISDIR(buf.st_mode)) {
+-			return FT_DIRECTORY;
+-		} else if (S_ISLNK(buf.st_mode)) {
+-			return FT_SYMLINK;
+-		} else {
+-			return FT_OTHER;
+-		}
+-	} else {
+-		if (errno == ENOENT) {
+-			return FT_NONEXISTANT;
+-		} else {
+-			int e = errno;
+-			string message("Cannot lstat '");
+-			message.append(filename);
+-			message.append("'");
+-			throw FileSystemException(message, e, filename);
+-		}
+-	}
+-}
+-
+ void
+ createFile(const string &filename, const StaticString &contents, mode_t permissions, uid_t owner,
+ 	gid_t group, bool overwrite)
+diff --git a/ext/common/Utils.h b/ext/common/Utils.h
+index 5cfaf92..a04e507 100644
+--- a/ext/common/Utils.h
++++ b/ext/common/Utils.h
+@@ -65,8 +65,6 @@
+ 	FT_REGULAR,
+ 	/** A directory. */
+ 	FT_DIRECTORY,
+-	/** A symlink. Only returned by getFileTypeNoFollowSymlinks(), not by getFileType(). */
+-	FT_SYMLINK,
+ 	/** Something else, e.g. a pipe or a socket. */
+ 	FT_OTHER
+ } FileType;
+@@ -123,10 +121,6 @@ bool fileExists(const StaticString &filename, CachedFileStat *cstat = 0,
+  */
+ FileType getFileType(const StaticString &filename, CachedFileStat *cstat = 0,
+                      unsigned int throttleRate = 0);
+-/**
+- * Like getFileType(), but does not follow symlinks.
+- */
+-FileType getFileTypeNoFollowSymlinks(const StaticString &filename);
+ 
+ /**
+  * Create the given file with the given contents, permissions and ownership.
+-- 
+1.8.5.5
+
diff --git a/debian/patches/series b/debian/patches/series
index d4cadda..bd20fef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 fix_install_path.patch
 no_jsoncpp.patch
 bin_load_path.patch
+CVE-2014-1832.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-passenger.git



More information about the Pkg-ruby-extras-commits mailing list