91785 2005-05-07 04:03 0000 net-www/webapp-config insecure temporary file creation 2005-07-23 23:07:50 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A3 [glsa] jaervosz P2 normal --- 1 eromang@zataz.net security@gentoo.org web-apps@gentoo.org eromang@zataz.net 2005-05-07 04:03:46 0000 Hello, They are some code in webapp-config how could permit to a normal user, to execute command as root, if the malicious user can get $my_file pointing to a file he owns. ------------------------------------------------------------------- Code how is in concern : ------------------------------------------------------------------- Begin line 2711 fn_show_postinst () { if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then return fi local my_file="/tmp/$$.postinst.txt" fn_run_vars # we create a temporary file, so that we can expand the variables # that are used in the file echo "cat <<webapp-EOF" > "$my_file" cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file" echo "webapp-EOF" >> "$my_file" # execute the temporary file, to generate the output echo . "$my_file" echo # it's a temporary file, so let's get rid of it now rm -f "$my_file" } The creation of my_file should be done with mktemp, and chmod this file. ----------------------------------------------------------- Another possible issue : fn_remove_emptylines () { egrep -v '^$' "$1" > /tmp/$$ cat /tmp/$$ > "$1" rm -f /tmp/$$ } All this two are hardly exploitable, because is a race condition, but it's possible. Regards Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: webapp-config don't use mktemp and don't chmod the temporary files Expected Results: webapp-config should use mktemp and chmod temporary files jaervosz@gentoo.org 2005-05-07 09:48:27 0000 Web-apps please provide an updated ebuild. beu@gentoo.org 2005-05-08 22:19:17 0000 Fixed in webapp-config-1.10-r14. Also fixes security issues from bugs #88831 (configuration file permissions) and #87708 (top-level website directories created with mode 777). Tested and marked stable on x86. Arches, please test and mark net-www/webapp-config-1.10-r14 stable. Thanks ! corsair@gentoo.org 2005-05-09 01:23:07 0000 stable on ppc64 zataz@zataz.net 2005-05-09 02:05:15 0000 Hello, Tested with phpmyadmin, every thing work fine. Just one thing to say : -rw-r--r-- 1 root root 333 May 9 10:59 /var/www/locahost/htdocs/phpmyadmin/.webapp inside : WEB_INSTALLEDFOR="root:apache" Could the files : .webapp-soft-version and .webapp be only root readable ? Regards. gustavoz@gentoo.org 2005-05-09 08:22:46 0000 stable on sparc. killerfox@gentoo.org 2005-05-09 10:15:56 0000 Stable on hppa hansmi@gentoo.org 2005-05-09 10:18:50 0000 Stable on ppc. kloeri@gentoo.org 2005-05-09 14:29:17 0000 Stable on alpha + ia64. cryos@gentoo.org 2005-05-09 16:18:31 0000 Stable on amd64, sorry for the delay. jaervosz@gentoo.org 2005-05-09 22:38:45 0000 This one is ready for GLSA decision. I vote for NO GLSA, if this is only an issue with the latest stable version. zataz@zataz.net 2005-05-09 23:00:44 0000 Hello, So how to force people to update webapp-config if they are no GLSA ? 3 securiry issues resolved in this version and no GLSA ? Regards. jaervosz@gentoo.org 2005-05-09 23:24:27 0000 AFAIR (sorry pretty busy handling a lot of other bugs) the only real issue here is the temp file. The others are an improvement to default config. If anything sensitive is in .webapp files it's another matter. Feel free to disagree and if so please elaborate:-) taviso@gentoo.org 2005-05-10 00:53:08 0000 I would vote YES to a glsa on this issue. tigger@gentoo.org 2005-05-10 01:17:05 0000 vote YES for glsa (tavis 0wns me) jaervosz@gentoo.org 2005-05-10 01:20:51 0000 Ok, this issue is not recently introduced->reversing vote to YES. beu@gentoo.org 2005-05-10 10:46:21 0000 I've compiled a list of webapps in the tree that install config files which would have been installed world-readable with webapp-config <1.10-r14: http://dev.gentoo.org/~beu/webapps-with-cfg-files.txt These webapps will need to be re-installed by the user to be re-created with correct permissions. beu@gentoo.org 2005-05-10 12:17:30 0000 Waiting on arm/mips to go stable, then the webapp eclasses *DEPEND will be changed to require this version of webapp-config (the wait is needed, or stable arm/mips webapps will have a masked dependency). vapier@gentoo.org 2005-05-10 15:16:36 0000 this is GLSA material vapier@gentoo.org 2005-05-10 15:18:07 0000 arm/mips/s390 stable beu@gentoo.org 2005-05-10 16:03:48 0000 DEPEND updated in webapp.eclass. All your folks :) jaervosz@gentoo.org 2005-05-10 22:02:31 0000 Elfyn would a simple chmod -R -orwx VHOST_ROOT fix the problem or just create new ones? jaervosz@gentoo.org 2005-05-10 22:10:24 0000 r2d2 just pointed out that you'd of cause need a chown -R root:apache VHOST_ROOT as well. jaervosz@gentoo.org 2005-05-13 23:59:57 0000 Elfyn any news on this one? beu@gentoo.org 2005-05-15 08:48:43 0000 webapp-config-1.10-r15 will be hitting cvs in about 15-20 minutes, just have to polish off a little bit and beat the crap out of the new webapp-fixperms tool ;) TO save time when I bump webapp-config, the usage that needs to be referenced in the glsa is as follows: # /usr/sbin/webapp-fixperms --fix-toplevel-vhost-perms-only all The ebove command line will fix any directories that exist in /var/www (by default) that are world-writable - it just removes the write-bit on the directory's file mode. Another webapp-fixperms invocation: # /usr/sbin/webapp-fixperms -p -d /var/www2 all # /usr/sbin/webapp-fixperms -d /var/www2 all (-p and --pretend are much like emerge's pretend mode.) The combination will check permission on installed config files for all webapps found in /var/www{,2}/*/htdocs. You can also replace the 'all' target with a specific package name, or names, and it will fix the permissions on only those webapp installs. There's a few other little things, though they'll be properly documented in a man page shortly. /me gets back to rolling 1.10-r15 .. :) beu@gentoo.org 2005-05-15 09:49:20 0000 InCVS, though p.mask'd as I have to go off for a few hours, and there's still a buglet remaining .. however, the the webapp-config bump has better error messages, permissions checks and all options bar --fix-toplevel-vhost-perms-only are working perfectly, from my _hours_ of testing ;) Will get the last bug I know fixed when I get back and un p.mask then .. beu@gentoo.org 2005-05-15 12:51:19 0000 Okay, I'm back ;) - -r15 will be taken out of p.mask and unleashed within the hour .. </bugspam> ;p jaervosz@gentoo.org 2005-05-16 05:32:20 0000 Woops still package masked->back to ebuild status. carlo@gentoo.org 2005-05-17 11:55:58 0000 Are you sure to fix the correct directories and don't go wild on the tree? >> Bug 92958 koon@gentoo.org 2005-05-20 10:28:51 0000 Elfyn, I don't get it, -r15 was removed ? Which one is the fixed package ? Can we issue a GLSA now on it ? koon@gentoo.org 2005-05-27 04:52:24 0000 Stuart is on it and will keep us posted. stuart@gentoo.org 2005-05-30 04:59:17 0000 I'm currently testing webapp-config v1.11 locally. I'll let you know once it's in the tree. Best regards, Stu stuart@gentoo.org 2005-05-30 12:57:05 0000 Hi, webapp-config 1.11 is now in the tree. Assuming I haven't missed anything, it includes fixes for all the security bugs discovered against webapp-config 1.10- r11 or -r12. v1.11 isn't marked stable yet - it needs wider testing before we can do that. Hopefully I'll have some feedback in a couple of days. I've removed webapp-config v1.10-r14 from the tree. It was too broken, sorry. Best regards, Stu bmschwar@fas.harvard.edu 2005-05-30 14:45:39 0000 1.11 better go stable mighty quick. Currently, anyone who's installed a recent webapp like awstats 6.4 gets this message: root # emerge -puDv world These are the packages that I would merge, in order: Calculating world dependencies r !!! All ebuilds that could satisfy ">=net-www/webapp-config-1.10-r14" have been masked. !!! One of the following masked packages is required to complete your request: - net-www/webapp-config-1.11 (masked by: ~x86 keyword) For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 "Software Availability" in the Gentoo Handbook. !!! (dependency required by "net-www/awstats-6.4" [ebuild]) !!! Problem with ebuild net-www/awstats-6.4 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed. jakub@gentoo.org 2005-05-30 15:47:21 0000 (In reply to comment #32) > v1.11 isn't marked stable yet - it needs wider testing before we > can do that. Hopefully I'll have some feedback in a couple of days. Well, sorry, but you have broken portage (Bug 94559). Either mark it stable or fix the eclass. :/ jaervosz@gentoo.org 2005-05-31 07:24:42 0000 web-apps please fix this. jaervosz@gentoo.org 2005-05-31 07:30:55 0000 Sorry my mistake, already fixed. jaervosz@gentoo.org 2005-06-04 00:41:48 0000 Stuart, are we ready to start stable marking? koon@gentoo.org 2005-06-12 03:03:18 0000 We have the go-ahead from Stuart. Arches, please test and mark webapp-config-1.11 stable... Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86" hansmi@gentoo.org 2005-06-12 03:30:07 0000 Stable on ppc. killerfox@gentoo.org 2005-06-12 03:46:45 0000 Stable on hppa kugelfang@gentoo.org 2005-06-12 09:48:50 0000 stable on amd64. weeve@gentoo.org 2005-06-12 10:52:14 0000 Stable on SPARC. corsair@gentoo.org 2005-06-13 07:27:48 0000 stable on ppc64 ferdy@gentoo.org 2005-06-13 07:59:29 0000 alpha happy kloeri@gentoo.org 2005-06-15 12:19:02 0000 ia64 stable. tester@gentoo.org 2005-06-16 18:59:35 0000 sorry for the delauy, done on x86 vapier@gentoo.org 2005-06-16 19:08:57 0000 arm/s390 done jaervosz@gentoo.org 2005-06-17 07:17:14 0000 GLSA 200506-13 mips please remember to mark stable to benifit from the GLSA. hardave@gentoo.org 2005-07-23 23:07:50 0000 Stable on mips.