Hello, They are some code in webapp-config how could permit to a normal user, to execute command as root, if the malicious user can get $my_file pointing to a file he owns. ------------------------------------------------------------------- Code how is in concern : ------------------------------------------------------------------- Begin line 2711 fn_show_postinst () { if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then return fi local my_file="/tmp/$$.postinst.txt" fn_run_vars # we create a temporary file, so that we can expand the variables # that are used in the file echo "cat <<webapp-EOF" > "$my_file" cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file" echo "webapp-EOF" >> "$my_file" # execute the temporary file, to generate the output echo . "$my_file" echo # it's a temporary file, so let's get rid of it now rm -f "$my_file" } The creation of my_file should be done with mktemp, and chmod this file. ----------------------------------------------------------- Another possible issue : fn_remove_emptylines () { egrep -v '^$' "$1" > /tmp/$$ cat /tmp/$$ > "$1" rm -f /tmp/$$ } All this two are hardly exploitable, because is a race condition, but it's possible. Regards Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: webapp-config don't use mktemp and don't chmod the temporary files Expected Results: webapp-config should use mktemp and chmod temporary files
Web-apps please provide an updated ebuild.
Fixed in webapp-config-1.10-r14. Also fixes security issues from bugs #88831 (configuration file permissions) and #87708 (top-level website directories created with mode 777). Tested and marked stable on x86. Arches, please test and mark net-www/webapp-config-1.10-r14 stable. Thanks !
stable on ppc64
Hello, Tested with phpmyadmin, every thing work fine. Just one thing to say : -rw-r--r-- 1 root root 333 May 9 10:59 /var/www/locahost/htdocs/phpmyadmin/.webapp inside : WEB_INSTALLEDFOR="root:apache" Could the files : .webapp-soft-version and .webapp be only root readable ? Regards.
stable on sparc.
Stable on hppa
Stable on ppc.
Stable on alpha + ia64.
Stable on amd64, sorry for the delay.
This one is ready for GLSA decision. I vote for NO GLSA, if this is only an issue with the latest stable version.
Hello, So how to force people to update webapp-config if they are no GLSA ? 3 securiry issues resolved in this version and no GLSA ? Regards.
AFAIR (sorry pretty busy handling a lot of other bugs) the only real issue here is the temp file. The others are an improvement to default config. If anything sensitive is in .webapp files it's another matter. Feel free to disagree and if so please elaborate:-)
I would vote YES to a glsa on this issue.
vote YES for glsa (tavis 0wns me)
Ok, this issue is not recently introduced->reversing vote to YES.
I've compiled a list of webapps in the tree that install config files which would have been installed world-readable with webapp-config <1.10-r14: http://dev.gentoo.org/~beu/webapps-with-cfg-files.txt These webapps will need to be re-installed by the user to be re-created with correct permissions.
Waiting on arm/mips to go stable, then the webapp eclasses *DEPEND will be changed to require this version of webapp-config (the wait is needed, or stable arm/mips webapps will have a masked dependency).
this is GLSA material
arm/mips/s390 stable
DEPEND updated in webapp.eclass. All your folks :)
Elfyn would a simple chmod -R -orwx VHOST_ROOT fix the problem or just create new ones?
r2d2 just pointed out that you'd of cause need a chown -R root:apache VHOST_ROOT as well.
Elfyn any news on this one?
webapp-config-1.10-r15 will be hitting cvs in about 15-20 minutes, just have to polish off a little bit and beat the crap out of the new webapp-fixperms tool ;) TO save time when I bump webapp-config, the usage that needs to be referenced in the glsa is as follows: # /usr/sbin/webapp-fixperms --fix-toplevel-vhost-perms-only all The ebove command line will fix any directories that exist in /var/www (by default) that are world-writable - it just removes the write-bit on the directory's file mode. Another webapp-fixperms invocation: # /usr/sbin/webapp-fixperms -p -d /var/www2 all # /usr/sbin/webapp-fixperms -d /var/www2 all (-p and --pretend are much like emerge's pretend mode.) The combination will check permission on installed config files for all webapps found in /var/www{,2}/*/htdocs. You can also replace the 'all' target with a specific package name, or names, and it will fix the permissions on only those webapp installs. There's a few other little things, though they'll be properly documented in a man page shortly. /me gets back to rolling 1.10-r15 .. :)
InCVS, though p.mask'd as I have to go off for a few hours, and there's still a buglet remaining .. however, the the webapp-config bump has better error messages, permissions checks and all options bar --fix-toplevel-vhost-perms-only are working perfectly, from my _hours_ of testing ;) Will get the last bug I know fixed when I get back and un p.mask then ..
Okay, I'm back ;) - -r15 will be taken out of p.mask and unleashed within the hour .. </bugspam> ;p
Woops still package masked->back to ebuild status.
Are you sure to fix the correct directories and don't go wild on the tree? >> Bug 92958
Elfyn, I don't get it, -r15 was removed ? Which one is the fixed package ? Can we issue a GLSA now on it ?
Stuart is on it and will keep us posted.
I'm currently testing webapp-config v1.11 locally. I'll let you know once it's in the tree. Best regards, Stu
Hi, webapp-config 1.11 is now in the tree. Assuming I haven't missed anything, it includes fixes for all the security bugs discovered against webapp-config 1.10- r11 or -r12. v1.11 isn't marked stable yet - it needs wider testing before we can do that. Hopefully I'll have some feedback in a couple of days. I've removed webapp-config v1.10-r14 from the tree. It was too broken, sorry. Best regards, Stu
1.11 better go stable mighty quick. Currently, anyone who's installed a recent webapp like awstats 6.4 gets this message: root # emerge -puDv world These are the packages that I would merge, in order: Calculating world dependencies r !!! All ebuilds that could satisfy ">=net-www/webapp-config-1.10-r14" have been masked. !!! One of the following masked packages is required to complete your request: - net-www/webapp-config-1.11 (masked by: ~x86 keyword) For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 "Software Availability" in the Gentoo Handbook. !!! (dependency required by "net-www/awstats-6.4" [ebuild]) !!! Problem with ebuild net-www/awstats-6.4 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed.
(In reply to comment #32) > v1.11 isn't marked stable yet - it needs wider testing before we > can do that. Hopefully I'll have some feedback in a couple of days. Well, sorry, but you have broken portage (Bug 94559). Either mark it stable or fix the eclass. :/
web-apps please fix this.
Sorry my mistake, already fixed.
Stuart, are we ready to start stable marking?
We have the go-ahead from Stuart. Arches, please test and mark webapp-config-1.11 stable... Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"
stable on amd64.
Stable on SPARC.
alpha happy
ia64 stable.
sorry for the delauy, done on x86
arm/s390 done
GLSA 200506-13 mips please remember to mark stable to benifit from the GLSA.
Stable on mips.