Bug 10497 - rubygem-passenger new security issue CVE-2013-2119
Summary: rubygem-passenger new security issue CVE-2013-2119
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/553804/
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-06-11 21:15 CEST by David Walser
Modified: 2013-07-09 20:29 CEST (History)
6 users (show)

See Also:
Source RPM: rubygem-passenger-3.0.18-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-06-11 21:15:23 CEST
Fedora has issued an advisory on June 1:
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108443.html

The issue is fixed upstream in 3.0.21.

Mageia 2 and Mageia 3 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-06-11 21:15:56 CEST

CC: (none) => dmorganec, fundawang, mageia
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-06-13 19:41:13 CEST
Funda has fixed this in Cauldron in rubygem-passenger-4.0.5-1.mga4.

An update candidate for Mageia 3 has been built, one for Mageia 2 is needed.

rubygem-passenger-3.0.21-2.mga3 is the current update candidate.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 David Walser 2013-06-28 00:52:45 CEST
Nevermind, Mageia 2 has 2.2.9, which doesn't appear to be vulnerable.

Whiteboard: MGA2TOO => (none)

Comment 3 David Walser 2013-06-28 00:56:54 CEST
Advisory:
========================

Updated rubygem-passenger package fixes security vulnerability:

Phusion Passengerâs code did not always create temporary files and directories
in a secure manner. Temporary files and directories were sometimes created
with a predictable filename. A local attacker can pre-create temporary files,
resulting in a denial of service. In addition, this vulnerability allows a
local attacker to run arbitrary code as another user, by hijacking temporary
files (CVE-2013-2119).

The rubygem-passenger package has been upgraded to version 3.0.21, which fixes
this issue, as well as many others.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2119
http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released/
http://blog.phusion.nl/2013/05/29/phusion-passenger-4-0-5-released/
https://lists.fedoraproject.org/pipermail/package-announce/2013-June/108443.html
========================

Updated packages in core/updates_testing:
========================
rubygem-passenger-3.0.21-2.mga3

from rubygem-passenger-3.0.21-2.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 claire robinson 2013-06-28 12:42:21 CEST
Testing mga3 64

Sorry for the long comment. Tells users to use 'yum install' to install missing devel dependencies and errors when they have been installed. See further down..


--------------------------------------------------
# passenger start

Nginx core 1.2.4 isn't installed

Phusion Passenger Standalone will automatically install it into:                                                                             

  /var/lib/passenger-standalone/natively-packaged/nginx-1.2.4

This will only be done once. Please sit back and relax while installation is                                                                 
in progress.                                                                                                                                 

Checking for required software...

 * GNU C++ compiler... found at /bin/g++
 * GNU make... found at /bin/gmake
 * A download tool like 'wget' or 'curl'... found at /bin/wget
 * Ruby development headers... mkmf.rb can't find header files for ruby at /usr/share/include/ruby.h                                         
not found
 * OpenSSL support for Ruby... found
 * RubyGems... found
 * Rake... found at /usr/bin/rake
 * rack... found
 * Curl development headers with SSL support... not found
 * OpenSSL development headers... not found
 * Zlib development headers... found
 * daemon_controller >= 1.0.0... found
 * Mizuho... not found

Some required software is not installed.
But don't worry, this installer will tell you how to install them.

Press Enter to continue, or Ctrl-C to abort.

--------------------------------------------

Installation instructions for required software

 * To install Ruby development headers:
   Please run yum install ruby-devel as root.           <===== Here

 * To install Curl development headers with SSL support:
   Please run yum install curl-devel as root.           <===== Here 

 * To install OpenSSL development headers:
   Please run yum install openssl-devel as root.        <===== Here

 * To install Mizuho:
   Please install RubyGems first, then run /usr/bin/gem install mizuho

If the aforementioned instructions didn't solve your problem, then please take
a look at the Users Guide:

  /usr/share/doc/phusion-passenger/Users guide Standalone.html
--------------------------------------------------


Once installed with urpmi and 'gem install mizuho', also installed and started nginx. It reports nginx as missing, tries to build it from source and fails.

# rpm -q nginx
nginx-1.2.9-1.1.mga3
# service nginx start
Redirecting to /bin/systemctl start nginx.service


--------------------------------------------------
# passenger start
Nginx core 1.2.9 isn't installed

Phusion Passenger Standalone will automatically install it into:                                                                             

  /var/lib/passenger-standalone/natively-packaged/nginx-1.2.9

This will only be done once. Please sit back and relax while installation is                                                                 
in progress.                                                                                                                                 

Checking for required software...

 * GNU C++ compiler... found at /bin/g++
 * GNU make... found at /bin/gmake
 * A download tool like 'wget' or 'curl'... found at /bin/wget
 * Ruby development headers... found
 * OpenSSL support for Ruby... found
 * RubyGems... found
 * Rake... found at /usr/bin/rake
 * rack... found
 * Curl development headers with SSL support... found
 * OpenSSL development headers... found
 * Zlib development headers... found
 * daemon_controller >= 1.0.0... found
 * Mizuho... found at /bin/mizuho

Downloading Passenger binaries for your platform, if available...
# wget -O /tmp/passenger.20130628-21062-hmex56/support.tar.gz http://standalone-binaries.modrails.com/natively-packaged/support.tar.gz       
--2013-06-28 11:34:53--  http://standalone-binaries.modrails.com/natively-packaged/support.tar.gz                                            
Resolving standalone-binaries.modrails.com (standalone-binaries.modrails.com)... 97.107.130.55                                               
Connecting to standalone-binaries.modrails.com (standalone-binaries.modrails.com)|97.107.130.55|:80... connected.                            
HTTP request sent, awaiting response... 404 Not Found                                                                                        
2013-06-28 11:34:53 ERROR 404: Not Found.                                                                                                    

Looks like it's not. But don't worry, the necessary binaries will be compiled from source instead.


Downloading Nginx binaries for your platform, if available...
# wget -O /tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gz http://standalone-binaries.modrails.com/natively-packaged/nginx-1.2.9.tar.gz                                                                                                                                            
--2013-06-28 11:34:53--  http://standalone-binaries.modrails.com/natively-packaged/nginx-1.2.9.tar.gz                                        
Resolving standalone-binaries.modrails.com (standalone-binaries.modrails.com)... 97.107.130.55                                               
Connecting to standalone-binaries.modrails.com (standalone-binaries.modrails.com)|97.107.130.55|:80... connected.                            
HTTP request sent, awaiting response... 404 Not Found                                                                                        
2013-06-28 11:34:54 ERROR 404: Not Found.                                                                                                    

Looks like it's not. But don't worry, the necessary binaries will be compiled from source instead.


Downloading Nginx...
# wget -O /tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gz http://nginx.org/download/nginx-1.2.9.tar.gz
--2013-06-28 11:34:54--  http://nginx.org/download/nginx-1.2.9.tar.gz
Resolving nginx.org (nginx.org)... 206.251.255.63
Connecting to nginx.org (nginx.org)|206.251.255.63|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 725829 (709K) [application/octet-stream]
Saving to: â/tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gzâ

100%[===================================================================================================>] 725,829      230KB/s   in 3.1s   

2013-06-28 11:34:57 (230 KB/s) - â/tmp/passenger.20130628-21062-hmex56/nginx-1.2.9.tar.gzâ saved [725829/725829]

Installing Phusion Passenger Standalone...
/usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/runtime_installer.rb:414:in `chdir': No such file or directory - /usr/share/phusion-passenger/source (Errno::ENOENT)
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/runtime_installer.rb:414:in `install_passenger_support_files'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/runtime_installer.rb:146:in `install!'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/abstract_installer.rb:63:in `start'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/start_command.rb:318:in `install_runtime'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/start_command.rb:339:in `ensure_nginx_installed'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/start_command.rb:59:in `run'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:93:in `block in run_command'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:48:in `block in each_command'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:43:in `each'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:43:in `each_command'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:91:in `run_command'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:62:in `run!'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/lib/phusion_passenger/standalone/main.rb:39:in `run!'
        from /usr/share/ruby/gems/gems/passenger-3.0.21/bin/passenger:32:in `<top (required)>'
        from /bin/passenger:23:in `load'
        from /bin/passenger:23:in `<main>'
--------------------------------------------------

Whiteboard: (none) => feedback

Comment 5 claire robinson 2013-07-04 22:14:27 CEST
Assigning Funda as discussed. Please reassign to QA when you've had a chance to look Funda. Thanks!

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 6 Funda Wang 2013-07-07 07:07:42 CEST
Well, passenger tends to be used as apache module, rather than work with nginx.

I would suggest get security problem fixed asap. Regarding whether it is usable, lets start another report.
Comment 7 claire robinson 2013-07-07 14:43:15 CEST
Please let's not make a habit of this, consider it a favour. There is little point in pushing sec updates for broken packages. Bug 10728 created for this not working.

Validating. Advisory from comment 3 uploaded with a note about other issues being handled in bug 10728.

Could sysadmin please push from 3 core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Assignee: fundawang => qa-bugs
Whiteboard: feedback => (none)
CC: (none) => sysadmin-bugs

Comment 8 claire robinson 2013-07-07 14:46:05 CEST
Everything I read suggested the opposite regarding nginx btw and it does default to using it.
Comment 9 Thomas Backlund 2013-07-09 20:29:12 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0205.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.