Bug 91785 - net-www/webapp-config insecure temporary file creation
|
Bug#:
91785
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: eromang@zataz.net
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: net-www/webapp-config insecure temporary file creation
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa] jaervosz
|
|
Opened: 2005-05-07 04:03 0000
|
Hello,
They are some code in webapp-config how could permit to a normal user, to execute command as root, if the malicious user can get $my_file pointing to a file he owns.
-------------------------------------------------------------------
Code how is in concern :
-------------------------------------------------------------------
Begin line 2711
fn_show_postinst ()
{
if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then
return
fi
local my_file="/tmp/$$.postinst.txt"
fn_run_vars
# we create a temporary file, so that we can expand the variables
# that are used in the file
echo "cat <<webapp-EOF" > "$my_file"
cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file"
echo "webapp-EOF" >> "$my_file"
# execute the temporary file, to generate the output
echo
. "$my_file"
echo
# it's a temporary file, so let's get rid of it now
rm -f "$my_file"
}
The creation of my_file should be done with mktemp, and chmod this file.
-----------------------------------------------------------
Another possible issue :
fn_remove_emptylines ()
{
egrep -v '^$' "$1" > /tmp/$$
cat /tmp/$$ > "$1"
rm -f /tmp/$$
}
All this two are hardly exploitable, because is a race condition, but it's possible.
Regards
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Actual Results:
webapp-config don't use mktemp and don't chmod the temporary files
Expected Results:
webapp-config should use mktemp and chmod temporary files
Web-apps please provide an updated ebuild.
Fixed in webapp-config-1.10-r14. Also fixes security issues from bugs #88831
(configuration file permissions) and #87708 (top-level website directories
created with mode 777).
Tested and marked stable on x86. Arches, please test and mark
net-www/webapp-config-1.10-r14 stable. Thanks !
Hello,
Tested with phpmyadmin, every thing work fine.
Just one thing to say :
-rw-r--r-- 1 root root 333 May 9 10:59 /var/www/locahost/htdocs/phpmyadmin/.webapp
inside :
WEB_INSTALLEDFOR="root:apache"
Could the files : .webapp-soft-version and .webapp be only root readable ?
Regards.
Stable on amd64, sorry for the delay.
This one is ready for GLSA decision. I vote for NO GLSA, if this is only an
issue with the latest stable version.
Hello,
So how to force people to update webapp-config if they are no GLSA ?
3 securiry issues resolved in this version and no GLSA ?
Regards.
AFAIR (sorry pretty busy handling a lot of other bugs) the only real issue here
is the temp file. The others are an improvement to default config. If anything
sensitive is in .webapp files it's another matter.
Feel free to disagree and if so please elaborate:-)
I would vote YES to a glsa on this issue.
vote YES for glsa (tavis 0wns me)
Ok, this issue is not recently introduced->reversing vote to YES.
I've compiled a list of webapps in the tree that install config files which
would have been installed world-readable with webapp-config <1.10-r14:
http://dev.gentoo.org/~beu/webapps-with-cfg-files.txt
These webapps will need to be re-installed by the user to be re-created with
correct permissions.
Waiting on arm/mips to go stable, then the webapp eclasses *DEPEND will be
changed to require this version of webapp-config (the wait is needed, or stable
arm/mips webapps will have a masked dependency).
DEPEND updated in webapp.eclass. All your folks :)
Elfyn would a simple chmod -R -orwx VHOST_ROOT fix the problem or just create
new ones?
r2d2 just pointed out that you'd of cause need a chown -R root:apache
VHOST_ROOT as well.
Elfyn any news on this one?
webapp-config-1.10-r15 will be hitting cvs in about 15-20 minutes, just have to
polish off a little bit and beat the crap out of the new webapp-fixperms tool
;)
TO save time when I bump webapp-config, the usage that needs to be referenced
in the glsa is as follows:
# /usr/sbin/webapp-fixperms --fix-toplevel-vhost-perms-only all
The ebove command line will fix any directories that exist in /var/www (by
default) that are world-writable - it just removes the write-bit on the
directory's file mode.
Another webapp-fixperms invocation:
# /usr/sbin/webapp-fixperms -p -d /var/www2 all
# /usr/sbin/webapp-fixperms -d /var/www2 all
(-p and --pretend are much like emerge's pretend mode.) The combination will
check permission on installed config files for all webapps found in
/var/www{,2}/*/htdocs. You can also replace the 'all' target with a specific
package name, or names, and it will fix the permissions on only those webapp
installs.
There's a few other little things, though they'll be properly documented in a
man page shortly. /me gets back to rolling 1.10-r15 .. :)
InCVS, though p.mask'd as I have to go off for a few hours, and there's still a
buglet remaining .. however, the the webapp-config bump has better error
messages, permissions checks and all options bar
--fix-toplevel-vhost-perms-only are working perfectly, from my _hours_ of
testing ;)
Will get the last bug I know fixed when I get back and un p.mask then ..
Okay, I'm back ;) - -r15 will be taken out of p.mask and unleashed within the
hour ..
</bugspam> ;p
Woops still package masked->back to ebuild status.
Are you sure to fix the correct directories and don't go wild on the tree? >>
Bug 92958
Elfyn,
I don't get it, -r15 was removed ? Which one is the fixed package ? Can we issue
a GLSA now on it ?
Stuart is on it and will keep us posted.
I'm currently testing webapp-config v1.11 locally. I'll let you know once
it's in the tree.
Best regards,
Stu
Hi,
webapp-config 1.11 is now in the tree. Assuming I haven't missed anything, it
includes fixes for all the security bugs discovered against webapp-config 1.10-
r11 or -r12. v1.11 isn't marked stable yet - it needs wider testing before we
can do that. Hopefully I'll have some feedback in a couple of days.
I've removed webapp-config v1.10-r14 from the tree. It was too broken, sorry.
Best regards,
Stu
1.11 better go stable mighty quick. Currently, anyone who's installed a recent
webapp like awstats 6.4 gets this message:
root # emerge -puDv world
These are the packages that I would merge, in order:
Calculating world dependencies r
!!! All ebuilds that could satisfy ">=net-www/webapp-config-1.10-r14" have been
masked.
!!! One of the following masked packages is required to complete your request:
- net-www/webapp-config-1.11 (masked by: ~x86 keyword)
For more information, see MASKED PACKAGES section in the emerge man page or
section 2.2 "Software Availability" in the Gentoo Handbook.
!!! (dependency required by "net-www/awstats-6.4" [ebuild])
!!! Problem with ebuild net-www/awstats-6.4
!!! Possibly a DEPEND/*DEPEND problem.
!!! Depgraph creation failed.
(In reply to comment #32)
> v1.11 isn't marked stable yet - it needs wider testing before we
> can do that. Hopefully I'll have some feedback in a couple of days.
Well, sorry, but you have broken portage (Bug 94559). Either mark it stable or
fix the eclass. :/
web-apps please fix this.
Sorry my mistake, already fixed.
Stuart, are we ready to start stable marking?
We have the go-ahead from Stuart.
Arches, please test and mark webapp-config-1.11 stable...
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"
sorry for the delauy, done on x86
GLSA 200506-13
mips please remember to mark stable to benifit from the GLSA.
