Bug 10890 - rubygem-passenger new security issue CVE-2013-4136
: rubygem-passenger new security issue CVE-2013-4136
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/561624/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
: 10992
  Show dependency treegraph
 
Reported: 2013-07-31 19:45 CEST by David Walser
Modified: 2013-08-22 20:03 CEST (History)
3 users (show)

See Also:
Source RPM: rubygem-passenger-3.0.18-4.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-07-31 19:45:37 CEST
Fedora has issued an advisory on July 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html

The issues is fixed upstream in 4.0.8.

While this issue is similar to CVE-2013-2119, it sounds like the version in Mageia 2 (2.2.x) is probably affected this time as well.  Fedora has a patch for 3.0.21.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-08-11 16:11:03 CEST
I tried to update Cauldron to 4.0.8 and got this:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130811135605.luigiwalser.valstar.2868/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130811135702.log

WTF does this mean (especially since rake is installed in the chroot)?
Could not find 'rake' (>= 0) among 0 total gem(s) (Gem::LoadError)
Comment 2 David Walser 2013-08-11 16:21:13 CEST
RedHat's patch for 3.0.21 is committed to Mageia 3 SVN.  It's not clear how to backport the fix to Mageia 2.
Comment 3 David Walser 2013-08-13 16:28:48 CEST
Pascal Terjan reverted the broken ruby-RubyGems in Cauldron that was causing the previous build error.  Now it still doesn't build; perhaps an issue with boost:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130813140232.luigiwalser.valstar.18646/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130813140304.log
Comment 4 David Walser 2013-08-13 21:32:35 CEST
Fixed in Cauldron in rubygem-passenger-4.0.8-1.mga4 by Pascal Terjan.
Comment 5 David Walser 2013-08-13 21:48:47 CEST
I've cloned this to Bug 10992 for the issue in Mageia 2, for which there is no patch available currently.

Pushing the Mageia 3 update to QA.

Note to QA: as with the previous update (Bug 10497), please just test the Apache module.

Advisory:
========================

Updated rubygem-passenger package fixes security vulnerability:

It was reported that Phusion Passenger would reuse existing server instance
directories (temporary directories) which could cause Passenger to remove or
overwrite files belonging to other instances (CVE-2013-4136).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html
========================

Updated packages in core/updates_testing:
========================
rubygem-passenger-3.0.21-2.1.mga3

from rubygem-passenger-3.0.21-2.1.mga3.src.rpm
Comment 6 David Walser 2013-08-20 17:03:11 CEST
Testing procedure:
Install package, run httpd -M, verify that mod_passenger is loaded.
Comment 7 claire robinson 2013-08-20 18:12:44 CEST
Not loaded. I'll try to find out why.
Comment 8 claire robinson 2013-08-20 18:25:51 CEST
There are two problems IINM

/etc/httpd/modules.d/mod_passenger.conf should be in /etc/httpd/conf/modules.d/ instead.

Once cp'd there it fails with ..

# httpd -M | grep pas
httpd: Syntax error on line 55 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf/modules.d/mod_passenger.conf: Cannot load extramodules/mod_passenger.so into server: /etc/httpd/extramodules/mod_passenger.so: cannot open shared object file: No such file or directory


mod_passenger.conf is trying to load from an incorrect path..
LoadModule passenger_module extramodules/mod_passenger.so

# urpmf rubygem-passenger | grep mod_passenger.so
rubygem-passenger:/usr/lib64/apache-extramodules/mod_passenger.so
rubygem-passenger:/usr/lib/apache-extramodules/mod_passenger.so

Once changed in the cp'd /etc/httpd/conf/modules.d/mod_passenger.conf to..
<IfModule !mod_passenger.c>
    LoadModule passenger_module /usr/lib64/apache-extramodules/mod_passenger.so
</IfModule>


# httpd -M | grep pas
 passenger_module (shared)
Comment 9 David Walser 2013-08-20 18:45:19 CEST
Thanks Claire.  I guess there really is nobody using this package.  I wonder why we even still have it.  *Sigh*  Anyway, it just means that this package was never updated with the new paths for apache 2.4 in Mageia 3.  This is easy to fix.  Will be up soon.
Comment 10 David Walser 2013-08-20 18:58:31 CEST
Advisory:
========================

Updated rubygem-passenger package fixes security vulnerability:

It was reported that Phusion Passenger would reuse existing server instance
directories (temporary directories) which could cause Passenger to remove or
overwrite files belonging to other instances (CVE-2013-4136).

Additionally, the package has been fixed so that the Apache module should load.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html
========================

Updated packages in core/updates_testing:
========================
rubygem-passenger-3.0.21-2.2.mga3

from rubygem-passenger-3.0.21-2.2.mga3.src.rpm
Comment 11 claire robinson 2013-08-20 19:54:52 CEST
Yeah, that's better David, thanks.

# httpd -M | grep pass
 passenger_module (shared)

Testing complete mga3 64
Comment 12 claire robinson 2013-08-20 20:01:09 CEST
Testing complete mga2 32

Validating. Advisory from comment 10 uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 13 claire robinson 2013-08-20 20:02:03 CEST
mga3 32* ..above, not mga2.
Comment 14 Thomas Backlund 2013-08-22 20:03:11 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0253.html

Note You need to log in before you can comment on or make changes to this bug.