Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91785 - net-www/webapp-config insecure temporary file creation
Summary: net-www/webapp-config insecure temporary file creation
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-07 04:03 UTC by eromang
Modified: 2005-07-23 23:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description eromang 2005-05-07 04:03:46 UTC
Hello,

They are some code in webapp-config how could permit to a normal user, to execute command as root, if the malicious user can get $my_file pointing to a file he owns.

-------------------------------------------------------------------
Code how is in concern :
-------------------------------------------------------------------

Begin line 2711

fn_show_postinst ()
{
        if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then 
                return  
        fi      

        local my_file="/tmp/$$.postinst.txt"

        fn_run_vars

        # we create a temporary file, so that we can expand the variables
        # that are used in the file
        
        echo "cat <<webapp-EOF" > "$my_file"
        cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file"
        echo "webapp-EOF" >> "$my_file"

        # execute the temporary file, to generate the output

        echo    
        . "$my_file"
        echo    

        # it's a temporary file, so let's get rid of it now

        rm -f "$my_file"
}

The creation of my_file should be done with mktemp, and chmod this file.

-----------------------------------------------------------

Another possible issue :

fn_remove_emptylines ()
{       
        egrep -v '^$' "$1" > /tmp/$$
        cat /tmp/$$ > "$1"
        rm -f /tmp/$$
}

All this two are hardly exploitable, because is a race condition, but it's possible.

Regards

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
webapp-config don't use mktemp and don't chmod the temporary files

Expected Results:  
webapp-config should use mktemp and chmod temporary files
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-07 09:48:27 UTC
Web-apps please provide an updated ebuild.
Comment 2 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-08 22:19:17 UTC
Fixed in webapp-config-1.10-r14.  Also fixes security issues from bugs #88831 (configuration file permissions) and #87708 (top-level website directories created with mode 777).

Tested and marked stable on x86.  Arches, please test and mark net-www/webapp-config-1.10-r14 stable.  Thanks !
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2005-05-09 01:23:07 UTC
stable on ppc64
Comment 4 Romang 2005-05-09 02:05:15 UTC
Hello,

Tested with phpmyadmin, every thing work fine.

Just one thing to say :

-rw-r--r--  1 root root      333 May  9 10:59 /var/www/locahost/htdocs/phpmyadmin/.webapp

inside :

WEB_INSTALLEDFOR="root:apache"

Could the files : .webapp-soft-version and .webapp be only root readable ?

Regards.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-09 08:22:46 UTC
stable on sparc.
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-05-09 10:15:56 UTC
Stable on hppa
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-09 10:18:50 UTC
Stable on ppc.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-09 14:29:17 UTC
Stable on alpha + ia64.
Comment 9 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-05-09 16:18:31 UTC
Stable on amd64, sorry for the delay.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-09 22:38:45 UTC
This one is ready for GLSA decision. I vote for NO GLSA, if this is only an issue with the latest stable version.
Comment 11 Romang 2005-05-09 23:00:44 UTC
Hello,

So how to force people to update webapp-config if they are no GLSA ?
3 securiry issues resolved in this version and no GLSA ?

Regards.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-09 23:24:27 UTC
AFAIR (sorry pretty busy handling a lot of other bugs) the only real issue here is the temp file. The others are an improvement to default config. If anything sensitive is in .webapp files it's another matter.

Feel free to disagree and if so please elaborate:-)
Comment 13 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-10 00:53:08 UTC
I would vote YES to a glsa on this issue.
Comment 14 rob holland (RETIRED) gentoo-dev 2005-05-10 01:17:05 UTC
vote YES for glsa (tavis 0wns me)
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-10 01:20:51 UTC
Ok, this issue is not recently introduced->reversing vote to YES.
Comment 16 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-10 10:46:21 UTC
I've compiled a list of webapps in the tree that install config files which would have been installed world-readable with webapp-config <1.10-r14:

  http://dev.gentoo.org/~beu/webapps-with-cfg-files.txt

These webapps will need to be re-installed by the user to be re-created with correct permissions.
Comment 17 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-10 12:17:30 UTC
Waiting on arm/mips to go stable, then the webapp eclasses *DEPEND will be changed to require this version of webapp-config (the wait is needed, or stable arm/mips webapps will have a masked dependency).
Comment 18 SpanKY gentoo-dev 2005-05-10 15:16:36 UTC
this is GLSA material
Comment 19 SpanKY gentoo-dev 2005-05-10 15:18:07 UTC
arm/mips/s390 stable
Comment 20 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-10 16:03:48 UTC
DEPEND updated in webapp.eclass.  All your folks :)
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-10 22:02:31 UTC
Elfyn would a simple chmod -R -orwx VHOST_ROOT fix the problem or just create new ones?
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-10 22:10:24 UTC
r2d2 just pointed out that you'd of cause need a chown -R root:apache VHOST_ROOT as well.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-13 23:59:57 UTC
Elfyn any news on this one?
Comment 24 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-15 08:48:43 UTC
webapp-config-1.10-r15 will be hitting cvs in about 15-20 minutes, just have to polish off a little bit and beat the crap out of the new webapp-fixperms tool ;)

TO save time when I bump webapp-config, the usage that needs to be referenced in the glsa is as follows:

  # /usr/sbin/webapp-fixperms --fix-toplevel-vhost-perms-only all

The ebove command line will fix any directories that exist in /var/www (by default) that are world-writable - it just removes the write-bit on the directory's file mode.

Another webapp-fixperms invocation:

  # /usr/sbin/webapp-fixperms -p -d /var/www2 all
  # /usr/sbin/webapp-fixperms -d /var/www2 all

(-p and --pretend are much like emerge's pretend mode.)  The combination will check permission on installed config files for all webapps found in /var/www{,2}/*/htdocs.  You can also replace the 'all' target with a specific package name, or names, and it will fix the permissions on only those webapp installs.

There's a few other little things, though they'll be properly documented in a man page shortly.  /me gets back to rolling 1.10-r15 .. :)
Comment 25 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-15 09:49:20 UTC
InCVS, though p.mask'd as I have to go off for a few hours, and there's still a buglet remaining .. however, the the webapp-config bump has better error messages, permissions checks and all options bar --fix-toplevel-vhost-perms-only are working perfectly, from my _hours_ of testing ;)

Will get the last bug I know fixed when I get back and un p.mask then ..
Comment 26 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-05-15 12:51:19 UTC
Okay, I'm back ;) - -r15 will be taken out of p.mask and unleashed within the hour ..
</bugspam> ;p
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-16 05:32:20 UTC
Woops still package masked->back to ebuild status.
Comment 28 Carsten Lohrke (RETIRED) gentoo-dev 2005-05-17 11:55:58 UTC
Are you sure to fix the correct directories and don't go wild on the tree? >>
Bug 92958
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 10:28:51 UTC
Elfyn,

I don't get it, -r15 was removed ? Which one is the fixed package ? Can we issue
a GLSA now on it ?
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2005-05-27 04:52:24 UTC
Stuart is on it and will keep us posted.
Comment 31 Stuart Herbert (RETIRED) gentoo-dev 2005-05-30 04:59:17 UTC
I'm currently testing webapp-config v1.11 locally.  I'll let you know once 
it's in the tree.

Best regards,
Stu
Comment 32 Stuart Herbert (RETIRED) gentoo-dev 2005-05-30 12:57:05 UTC
Hi,

webapp-config 1.11 is now in the tree.  Assuming I haven't missed anything, it 
includes fixes for all the security bugs discovered against webapp-config 1.10-
r11 or -r12.  v1.11 isn't marked stable yet - it needs wider testing before we 
can do that.  Hopefully I'll have some feedback in a couple of days.

I've removed webapp-config v1.10-r14 from the tree.  It was too broken, sorry.

Best regards,
Stu
Comment 33 Ben Schwartz 2005-05-30 14:45:39 UTC
1.11 better go stable mighty quick.  Currently, anyone who's installed a recent
webapp like awstats 6.4 gets this message:

root # emerge -puDv world

These are the packages that I would merge, in order:

Calculating world dependencies        r                                  
!!! All ebuilds that could satisfy ">=net-www/webapp-config-1.10-r14" have been
masked.
!!! One of the following masked packages is required to complete your request:
- net-www/webapp-config-1.11 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or 
section 2.2 "Software Availability" in the Gentoo Handbook.
!!!    (dependency required by "net-www/awstats-6.4" [ebuild])


!!! Problem with ebuild net-www/awstats-6.4
!!! Possibly a DEPEND/*DEPEND problem.

!!! Depgraph creation failed.
Comment 34 Jakub Moc (RETIRED) gentoo-dev 2005-05-30 15:47:21 UTC
(In reply to comment #32)
> v1.11 isn't marked stable yet - it needs wider testing before we 
> can do that.  Hopefully I'll have some feedback in a couple of days.

Well, sorry, but you have broken portage (Bug 94559). Either mark it stable or
fix the eclass. :/
Comment 35 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-31 07:24:42 UTC
web-apps please fix this. 
Comment 36 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-31 07:30:55 UTC
Sorry my mistake, already fixed. 
Comment 37 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-04 00:41:48 UTC
Stuart, are we ready to start stable marking? 
Comment 38 Thierry Carrez (RETIRED) gentoo-dev 2005-06-12 03:03:18 UTC
We have the go-ahead from Stuart.

Arches, please test and mark webapp-config-1.11 stable...
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"
Comment 39 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-12 03:30:07 UTC
Stable on ppc.
Comment 40 René Nussbaumer (RETIRED) gentoo-dev 2005-06-12 03:46:45 UTC
Stable on hppa
Comment 41 Danny van Dyk (RETIRED) gentoo-dev 2005-06-12 09:48:50 UTC
stable on amd64.
Comment 42 Jason Wever (RETIRED) gentoo-dev 2005-06-12 10:52:14 UTC
Stable on SPARC.
Comment 43 Markus Rothe (RETIRED) gentoo-dev 2005-06-13 07:27:48 UTC
stable on ppc64 
Comment 44 Fernando J. Pereda (RETIRED) gentoo-dev 2005-06-13 07:59:29 UTC
alpha happy
Comment 45 Bryan Østergaard (RETIRED) gentoo-dev 2005-06-15 12:19:02 UTC
ia64 stable.
Comment 46 Olivier Crete (RETIRED) gentoo-dev 2005-06-16 18:59:35 UTC
sorry for the delauy, done on x86
Comment 47 SpanKY gentoo-dev 2005-06-16 19:08:57 UTC
arm/s390 done
Comment 48 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-17 07:17:14 UTC
GLSA 200506-13 
 
mips please remember to mark stable to benifit from the GLSA. 
Comment 49 Hardave Riar (RETIRED) gentoo-dev 2005-07-23 23:07:50 UTC
Stable on mips.