Bug 10890 - rubygem-passenger new security issue CVE-2013-4136
Summary: rubygem-passenger new security issue CVE-2013-4136
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/561624/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Keywords: validated_update
Depends on:
Blocks: 10992
  Show dependency treegraph
 
Reported: 2013-07-31 19:45 CEST by David Walser
Modified: 2013-08-22 20:03 CEST (History)
3 users (show)

See Also:
Source RPM: rubygem-passenger-3.0.18-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-07-31 19:45:37 CEST
Fedora has issued an advisory on July 20:
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html

The issues is fixed upstream in 4.0.8.

While this issue is similar to CVE-2013-2119, it sounds like the version in Mageia 2 (2.2.x) is probably affected this time as well.  Fedora has a patch for 3.0.21.

Reproducible: 

Steps to Reproduce:
David Walser 2013-07-31 19:45:43 CEST

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-08-11 16:11:03 CEST
I tried to update Cauldron to 4.0.8 and got this:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130811135605.luigiwalser.valstar.2868/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130811135702.log

WTF does this mean (especially since rake is installed in the chroot)?
Could not find 'rake' (>= 0) among 0 total gem(s) (Gem::LoadError)
Comment 2 David Walser 2013-08-11 16:21:13 CEST
RedHat's patch for 3.0.21 is committed to Mageia 3 SVN.  It's not clear how to backport the fix to Mageia 2.
Comment 3 David Walser 2013-08-13 16:28:48 CEST
Pascal Terjan reverted the broken ruby-RubyGems in Cauldron that was causing the previous build error.  Now it still doesn't build; perhaps an issue with boost:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130813140232.luigiwalser.valstar.18646/log/rubygem-passenger-4.0.8-1.mga4/build.0.20130813140304.log
Comment 4 David Walser 2013-08-13 21:32:35 CEST
Fixed in Cauldron in rubygem-passenger-4.0.8-1.mga4 by Pascal Terjan.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

David Walser 2013-08-13 21:39:39 CEST

Blocks: (none) => 10992

Comment 5 David Walser 2013-08-13 21:48:47 CEST
I've cloned this to Bug 10992 for the issue in Mageia 2, for which there is no patch available currently.

Pushing the Mageia 3 update to QA.

Note to QA: as with the previous update (Bug 10497), please just test the Apache module.

Advisory:
========================

Updated rubygem-passenger package fixes security vulnerability:

It was reported that Phusion Passenger would reuse existing server instance
directories (temporary directories) which could cause Passenger to remove or
overwrite files belonging to other instances (CVE-2013-4136).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html
========================

Updated packages in core/updates_testing:
========================
rubygem-passenger-3.0.21-2.1.mga3

from rubygem-passenger-3.0.21-2.1.mga3.src.rpm

CC: (none) => fundawang
Assignee: fundawang => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 6 David Walser 2013-08-20 17:03:11 CEST
Testing procedure:
Install package, run httpd -M, verify that mod_passenger is loaded.

Whiteboard: (none) => has_procedure

Comment 7 claire robinson 2013-08-20 18:12:44 CEST
Not loaded. I'll try to find out why.
Comment 8 claire robinson 2013-08-20 18:25:51 CEST
There are two problems IINM

/etc/httpd/modules.d/mod_passenger.conf should be in /etc/httpd/conf/modules.d/ instead.

Once cp'd there it fails with ..

# httpd -M | grep pas
httpd: Syntax error on line 55 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf/modules.d/mod_passenger.conf: Cannot load extramodules/mod_passenger.so into server: /etc/httpd/extramodules/mod_passenger.so: cannot open shared object file: No such file or directory


mod_passenger.conf is trying to load from an incorrect path..
LoadModule passenger_module extramodules/mod_passenger.so

# urpmf rubygem-passenger | grep mod_passenger.so
rubygem-passenger:/usr/lib64/apache-extramodules/mod_passenger.so
rubygem-passenger:/usr/lib/apache-extramodules/mod_passenger.so

Once changed in the cp'd /etc/httpd/conf/modules.d/mod_passenger.conf to..
<IfModule !mod_passenger.c>
    LoadModule passenger_module /usr/lib64/apache-extramodules/mod_passenger.so
</IfModule>


# httpd -M | grep pas
 passenger_module (shared)

Whiteboard: has_procedure => has_procedure feedback

Comment 9 David Walser 2013-08-20 18:45:19 CEST
Thanks Claire.  I guess there really is nobody using this package.  I wonder why we even still have it.  *Sigh*  Anyway, it just means that this package was never updated with the new paths for apache 2.4 in Mageia 3.  This is easy to fix.  Will be up soon.

Whiteboard: has_procedure feedback => has_procedure

Comment 10 David Walser 2013-08-20 18:58:31 CEST
Advisory:
========================

Updated rubygem-passenger package fixes security vulnerability:

It was reported that Phusion Passenger would reuse existing server instance
directories (temporary directories) which could cause Passenger to remove or
overwrite files belonging to other instances (CVE-2013-4136).

Additionally, the package has been fixed so that the Apache module should load.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4136
https://lists.fedoraproject.org/pipermail/package-announce/2013-July/112716.html
========================

Updated packages in core/updates_testing:
========================
rubygem-passenger-3.0.21-2.2.mga3

from rubygem-passenger-3.0.21-2.2.mga3.src.rpm
Comment 11 claire robinson 2013-08-20 19:54:52 CEST
Yeah, that's better David, thanks.

# httpd -M | grep pass
 passenger_module (shared)

Testing complete mga3 64

Whiteboard: has_procedure => has_procedure mga3-64-ok

Comment 12 claire robinson 2013-08-20 20:01:09 CEST
Testing complete mga2 32

Validating. Advisory from comment 10 uploaded.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 13 claire robinson 2013-08-20 20:02:03 CEST
mga3 32* ..above, not mga2.
Comment 14 Thomas Backlund 2013-08-22 20:03:11 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0253.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.