Bug#840685: marked as done (TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory)

[Debian Bug Tracking System]

Your message dated Wed, 19 Oct 2016 10:40:37 +0000
with message-id <e1bwoix-0002k1...@franck.debian.org>
and subject line Bug#840685: fixed in tomcat8 8.0.38-1
has caused the Debian Bug report #840685,
regarding TOCTOU race condition in initscript on chown'ing JVM_TMP temporary 
directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
840685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole


[ I contacted t...@security.debian.org about this, but no response ... ]

Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:

...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$NAME-tmp
...
                # Remove / recreate JVM_TMP directory
                rm -rf "$JVM_TMP"
                mkdir -p "$JVM_TMP" || {
                        log_failure_msg "could not create JVM temporary 
directory"
                        exit 1
                }
                chown $TOMCAT8_USER "$JVM_TMP"
...

That suffers from a TOCTOU race condition.

An attacker can, after the "rm -rf", create a symlink to /etc. Then
"mkdir -p" returns success (though does nothing); and chown follows
the symlink. That is "game over": ability to replace /etc/passwd.

The attacker can use inotify and act quickly, and have a good chance
of winning the race to create the symlink before the init.d script
starts a new mkdir process.

Do you need some working PoC code?

---

The script should be made more robust by using "chown -h". (This would
protect against the above attack.)

The script should use plain mkdir without "-p": not needed as we create
a single directory, and should not be used to let mkdir return failure.
(This may make it safe.)

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common         8.0.14-1+deb8u3
ii  ucf                    3.0030

Versions of packages tomcat8 recommends:
pn  authbind  <none>

Versions of packages tomcat8 suggests:
pn  libtcnative-1     <none>
pn  tomcat8-admin     <none>
pn  tomcat8-docs      <none>
pn  tomcat8-examples  <none>
pn  tomcat8-user      <none>

-- Configuration Files:
/etc/init.d/tomcat8 changed [not included]
/etc/tomcat8/catalina.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/catalina.properties'
/etc/tomcat8/context.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/context.xml'
/etc/tomcat8/logging.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/logging.properties'
/etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/01system.policy'
/etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/02debian.policy'
/etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/03catalina.policy'
/etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/04webapps.policy'
/etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/50local.policy'
/etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml'
/etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/tomcat-users.xml'
/etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml'

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: tomcat8
Source-Version: 8.0.38-1

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 19 Oct 2016 11:01:03 +0200
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java 
libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.38-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API 
classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java 
API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web 
application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web 
applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 840685
Changes:
 tomcat8 (8.0.38-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Refreshed the patches
   * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
   * Fixed the OSGi metadata for tomcat8-jasper.jar and tomcat8-jasper-el.jar
   * Depend on libcglib-nodep-java instead of libcglib3-java
   * Removed the unused Lintian overrides
Checksums-Sha1:
 a2778761d6238a197228b312271846db3d95c730 2816 tomcat8_8.0.38-1.dsc
 4987605762a9d2793092b460565d666a26746745 3509572 tomcat8_8.0.38.orig.tar.xz
 eabd7f39695be919be3e9ea3edf05468eeb025e5 38820 tomcat8_8.0.38-1.debian.tar.xz
 da1232c9b36fcf8a34ec0a9113a834bdaa0142d9 239860 
libservlet3.1-java-doc_8.0.38-1_all.deb
 ec8f0d7570525d9a139eecb6a4ff1fc841e429bd 391354 
libservlet3.1-java_8.0.38-1_all.deb
 fefce6e4e1403b5fc755a5219afea21c715d0b51 4691266 
libtomcat8-java_8.0.38-1_all.deb
 3215df1d3768bc2ade7c64b1a8fe50d787dc2fe4 34620 tomcat8-admin_8.0.38-1_all.deb
 7b9d1ca833c0204b9600211c6f1f35de86cfefbd 60070 tomcat8-common_8.0.38-1_all.deb
 73eaca528ff9af16bd67e36fa2dc4cc3d31704ab 750614 tomcat8-docs_8.0.38-1_all.deb
 2c5580940e453743841cbd1706c6976b94733449 191216 
tomcat8-examples_8.0.38-1_all.deb
 409bdd2c7e7c43edb55e1e8830b718a327d46313 34328 tomcat8-user_8.0.38-1_all.deb
 3296c3e86183958741343919c8c34377b2a0f1b1 45940 tomcat8_8.0.38-1_all.deb
Checksums-Sha256:
 d7dd35f231d7df635732e4f15843ed1c6f054dfb7dd25f82315980373b3f19d2 2816 
tomcat8_8.0.38-1.dsc
 1c5338c19fd15bc40ae5646a83525ce01b5dac5741f953bc4bb344b0fc4b64a6 3509572 
tomcat8_8.0.38.orig.tar.xz
 12a41835ddf6a1d4f1ae5d9430f15553ab0f6b945eabc0943ac5bddbae67c7d9 38820 
tomcat8_8.0.38-1.debian.tar.xz
 78d2f80125a988298d788fc813b5cd391dff126381e9367f8738d2b5fe7bfd26 239860 
libservlet3.1-java-doc_8.0.38-1_all.deb
 dd8407616e1bc30479fbd42f3af8a3c1e1e9d242cde48e209b7cdb9b07195866 391354 
libservlet3.1-java_8.0.38-1_all.deb
 8d9e00b824e807bece502a01da52e7931d0486c8f80b51885397ac1f4f723f20 4691266 
libtomcat8-java_8.0.38-1_all.deb
 5b17cde24e82b2850e1994464d1ed3d6ab4bdda14c002d875939fa2eeb794b0f 34620 
tomcat8-admin_8.0.38-1_all.deb
 a58199ce814c796d31712a1039d9eb21fc41b05f74bdf74c991c4107aad0bd8f 60070 
tomcat8-common_8.0.38-1_all.deb
 57bbc0687826150ac637a79cba5af559b6b3f91372a90ebab8db8eac028f9218 750614 
tomcat8-docs_8.0.38-1_all.deb
 fc354399abcf2ce08f04d891ec7fa39e27ecefc50bcbaaac7b7c3718256b3b7a 191216 
tomcat8-examples_8.0.38-1_all.deb
 8744e5e2c8b288fcd85967272415d9cbb2db97435087d2403ba4cfce4901bc23 34328 
tomcat8-user_8.0.38-1_all.deb
 5e35a709af61fa3df76e9bbec71b7c4ac5bd2dfcc6986601dc3f1d16a4b7926f 45940 
tomcat8_8.0.38-1_all.deb
Files:
 7acc5c91827d36043fc25249d8fca973 2816 java optional tomcat8_8.0.38-1.dsc
 92372507d1f1a3b9175166edcc51b363 3509572 java optional 
tomcat8_8.0.38.orig.tar.xz
 42f2ecb3cee9be583734e41d1cee2eca 38820 java optional 
tomcat8_8.0.38-1.debian.tar.xz
 120c697f5f926ed93da31082bf6360be 239860 doc optional 
libservlet3.1-java-doc_8.0.38-1_all.deb
 4d9d0b76ece4f4a08093056c3f18f77f 391354 java optional 
libservlet3.1-java_8.0.38-1_all.deb
 50ccf001aa72fc70adb8fee3098fc45b 4691266 java optional 
libtomcat8-java_8.0.38-1_all.deb
 9f97ba2ee04cc2886622e37c5cb5323d 34620 java optional 
tomcat8-admin_8.0.38-1_all.deb
 9b4436fadcdb80d088b06cedca7b77ed 60070 java optional 
tomcat8-common_8.0.38-1_all.deb
 324e802fb30f39be030021dea910ff9d 750614 doc optional 
tomcat8-docs_8.0.38-1_all.deb
 82ad07858f24f9bbafbda361fbc7797d 191216 java optional 
tomcat8-examples_8.0.38-1_all.deb
 a5d82e648a76d1450bbf840248296173 34328 java optional 
tomcat8-user_8.0.38-1_all.deb
 b9cbd2aeee7af627ba8d7105b946e266 45940 java optional tomcat8_8.0.38-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYB0KEAAoJEPUTxBnkudCs73sQAMPKgMEiVK8GtLS0EwtwzNhs
m86dbavUyUypKbhHgMW4ZbCjAJ3MFjywI/MFrZr/XnOjnWg9kSfrQuRBjVE3Kt2I
kksQY7QvUTdCfW33XXdYq4VdTIRAJsA+fTRGXQtfhE1XyXCOQMXRnQmXojh+TbsS
hONT8pEDb81R7ZjzxN8zBMoKx+/nXLETslEEtOB/Omo5cTf8hVdlCD8KKPZyBXCY
xYKkCMJsvDqKZugUrgtpzsPBhSusXzQZNJ91YAAdN41MFTbuFW8SEqmbVqxjd8I2
XdaXOUOXat7X9NaAbsDF3k6WrPSkR1AlsijymJAitkRWi1GaqM5Q80st4J4OCfAl
bnVCF0qsHZaXsv1OJZhgPY9Z6IJSct6DNHpdWUZ2Dk5CWB0XfhUAWhdt8a8tYEDN
TXaOwotudOCfqkuwhl0BZ42oKDEUW8Arlt/RqxWQ1nNhlE/Tgm0pi8sHUplNArQh
2YZJg7IAeeizgXBW0T4UldE7KbD7XhqDTaSFmlBj2bKVShbIOoSTRsDFPYXha6px
6Rb3DdPuxFWDbEOHvoCSHNwKK247VNgnA25cWwLmhcVGkxtsbbEjnPbhIislHJMd
9aAKcWoOdtSWO5y1H9snE8m4Ah/a+HmVNK/7uutNgnG9ED68sdrVLbOrL9mk4KRu
ySVU3LifDDTlQuVjekOe
=Gy3r
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.