Your message dated Wed, 23 Nov 2016 19:32:10 +0000
with message-id <e1c9dh8-0002t7...@fasolo.debian.org>
and subject line Bug#840685: fixed in tomcat8 8.0.14-1+deb8u4
has caused the Debian Bug report #840685,
regarding TOCTOU race condition in initscript on chown'ing JVM_TMP temporary 
directory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
840685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840685
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tomcat8
Version: 8.0.14-1+deb8u3
Severity: critical
Tags: security
Justification: root security hole


[ I contacted t...@security.debian.org about this, but no response ... ]

Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so:

...
NAME=tomcat8
...
JVM_TMP=/tmp/tomcat8-$NAME-tmp
...
                # Remove / recreate JVM_TMP directory
                rm -rf "$JVM_TMP"
                mkdir -p "$JVM_TMP" || {
                        log_failure_msg "could not create JVM temporary 
directory"
                        exit 1
                }
                chown $TOMCAT8_USER "$JVM_TMP"
...

That suffers from a TOCTOU race condition.

An attacker can, after the "rm -rf", create a symlink to /etc. Then
"mkdir -p" returns success (though does nothing); and chown follows
the symlink. That is "game over": ability to replace /etc/passwd.

The attacker can use inotify and act quickly, and have a good chance
of winning the race to create the symlink before the init.d script
starts a new mkdir process.

Do you need some working PoC code?

---

The script should be made more robust by using "chown -h". (This would
protect against the above attack.)

The script should use plain mkdir without "-p": not needed as we create
a single directory, and should not be used to let mkdir return failure.
(This may make it safe.)

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common         8.0.14-1+deb8u3
ii  ucf                    3.0030

Versions of packages tomcat8 recommends:
pn  authbind  <none>

Versions of packages tomcat8 suggests:
pn  libtcnative-1     <none>
pn  tomcat8-admin     <none>
pn  tomcat8-docs      <none>
pn  tomcat8-examples  <none>
pn  tomcat8-user      <none>

-- Configuration Files:
/etc/init.d/tomcat8 changed [not included]
/etc/tomcat8/catalina.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/catalina.properties'
/etc/tomcat8/context.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/context.xml'
/etc/tomcat8/logging.properties [Errno 13] Permission denied: 
u'/etc/tomcat8/logging.properties'
/etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/01system.policy'
/etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/02debian.policy'
/etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/03catalina.policy'
/etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/04webapps.policy'
/etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: 
u'/etc/tomcat8/policy.d/50local.policy'
/etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml'
/etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: 
u'/etc/tomcat8/tomcat-users.xml'
/etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml'

-- debconf information excluded

--- End Message ---
--- Begin Message ---
Source: tomcat8
Source-Version: 8.0.14-1+deb8u4

We believe that the bug you reported is fixed in the latest version of
tomcat8, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated tomcat8 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Nov 2016 09:00:15 +0100
Source: tomcat8
Binary: tomcat8-common tomcat8 tomcat8-user libtomcat8-java libservlet3.1-java 
libservlet3.1-java-doc tomcat8-admin tomcat8-examples tomcat8-docs
Architecture: source all
Version: 8.0.14-1+deb8u4
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description:
 libservlet3.1-java - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java API 
classes
 libservlet3.1-java-doc - Servlet 3.1, JSP 2.3, EL 3.0 and WebSocket 1.0 Java 
API documenta
 libtomcat8-java - Apache Tomcat 8 - Servlet and JSP engine -- core libraries
 tomcat8    - Apache Tomcat 8 - Servlet and JSP engine
 tomcat8-admin - Apache Tomcat 8 - Servlet and JSP engine -- admin web 
application
 tomcat8-common - Apache Tomcat 8 - Servlet and JSP engine -- common files
 tomcat8-docs - Apache Tomcat 8 - Servlet and JSP engine -- documentation
 tomcat8-examples - Apache Tomcat 8 - Servlet and JSP engine -- example web 
applicati
 tomcat8-user - Apache Tomcat 8 - Servlet and JSP engine -- tools to create user
Closes: 840685
Changes:
 tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium
 .
   * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
     password if the supplied user name did not exist. This made a timing attack
     possible to determine valid user names.
   * Fixed CVE-2016-5018: A malicious web application was able to bypass
     a configured SecurityManager via a Tomcat utility method that was
     accessible to web applications.
   * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
     application's ability to read system properties should be controlled by
     the SecurityManager. Tomcat's system property replacement feature for
     configuration files could be used by a malicious web application to bypass
     the SecurityManager and read system properties that should not be visible.
   * Fixed CVE-2016-6796: A malicious web application was able to bypass
     a configured SecurityManager via manipulation of the configuration
     parameters for the JSP Servlet.
   * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
     access to global JNDI resources to those resources explicitly linked to the
     web application. Therefore, it was possible for a web application to access
     any global JNDI resource whether an explicit ResourceLink had been
     configured or not.
   * CVE-2016-1240 follow-up:
     - The previous init.d fix was vulnerable to a race condition that could
       be exploited to make any existing file writable by the tomcat user.
       Thanks to Paul Szabo for the report and the fix.
     - The catalina.policy file generated on startup was affected by a similar
       vulnerability that could be exploited to overwrite any file on the 
system.
       Thanks to Paul Szabo for the report.
   * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
Checksums-Sha1:
 665856ec19324d7029e41a6fcea54cdd90c69d76 2842 tomcat8_8.0.14-1+deb8u4.dsc
 ec93a6b65254c664e79fdc1ce8cbe011ea11ce65 56260 
tomcat8_8.0.14-1+deb8u4.debian.tar.xz
 b042a68034cff0457d369d47b347836cd64b374c 56634 
tomcat8-common_8.0.14-1+deb8u4_all.deb
 70554e2be42156ac0376ff6c641370dd1e56abff 46142 tomcat8_8.0.14-1+deb8u4_all.deb
 91336c3cf7160f3567f0f6bc3d7e61f4a5de3a3e 33818 
tomcat8-user_8.0.14-1+deb8u4_all.deb
 db9ede19ef81bf9b38103f9a8c1f495899167072 4585858 
libtomcat8-java_8.0.14-1+deb8u4_all.deb
 b1fa663561ab8822d5cfba017cf3bee894f22bb2 391180 
libservlet3.1-java_8.0.14-1+deb8u4_all.deb
 c828439fd7bcf2388e1207cab4ee50a42bb3dd5a 246386 
libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb
 f8f01bd30ad74ba7f15de3c93b01370d8c1a55ae 35118 
tomcat8-admin_8.0.14-1+deb8u4_all.deb
 b9c729a7b4c5f268a70f615b09520d196b1bad39 193542 
tomcat8-examples_8.0.14-1+deb8u4_all.deb
 c3ce4d70535076f7bf3d60f1a0fe848f612432b9 688292 
tomcat8-docs_8.0.14-1+deb8u4_all.deb
Checksums-Sha256:
 fe11afd5dc9472f316c5126c8d1f12f8958c17cca455dde4b63a5d4eabd25c28 2842 
tomcat8_8.0.14-1+deb8u4.dsc
 bfef9a384583312b056101f34bcdb308f5a9855e63b8d575f43f4251d4402af5 56260 
tomcat8_8.0.14-1+deb8u4.debian.tar.xz
 6ad03dee0fc489fb2ff115113872d314aeacadb3e4245b993e207ca6d5bfa475 56634 
tomcat8-common_8.0.14-1+deb8u4_all.deb
 24e3f69096f81fa3ef65ee837e7d72df46a4610d57d5ed97197764afc342273b 46142 
tomcat8_8.0.14-1+deb8u4_all.deb
 5f6d0abc55f17096e2b2cf35e91789a6b6051761a2265e7cd48468a620dc0b13 33818 
tomcat8-user_8.0.14-1+deb8u4_all.deb
 9c8d9e0f2900c940bf6dfc721aafcfbc655ec375e0984d67033b187846241bc7 4585858 
libtomcat8-java_8.0.14-1+deb8u4_all.deb
 a30a493c614639c71bd9a06bd9b438fcf7fab2d4acbac1e114b08985b2b51909 391180 
libservlet3.1-java_8.0.14-1+deb8u4_all.deb
 9f0077c343b34ab5af0c9c989c6ca4e5545b6bc7437c94b0320dbea2dceb11d8 246386 
libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb
 a2cb93bbf53750daed7eaee6339851c98ea39e99f0accd4692540f5d6639ea48 35118 
tomcat8-admin_8.0.14-1+deb8u4_all.deb
 799ece775236b93d9d1d5d880a36f3bf8debe9d27edac60a5381c8bf440cc6df 193542 
tomcat8-examples_8.0.14-1+deb8u4_all.deb
 230a2139dae1878b32005d357e6e09ff209374256127610545949e907b3fd141 688292 
tomcat8-docs_8.0.14-1+deb8u4_all.deb
Files:
 b4b7edf37b67958d914f0faf8ea709bc 2842 java optional tomcat8_8.0.14-1+deb8u4.dsc
 8851abe07b60a4a32341b90e3dd5682d 56260 java optional 
tomcat8_8.0.14-1+deb8u4.debian.tar.xz
 7a6f81ae8302876756c5ef9cd2bc173a 56634 java optional 
tomcat8-common_8.0.14-1+deb8u4_all.deb
 87661c80a0a9775f247048853afaf47b 46142 java optional 
tomcat8_8.0.14-1+deb8u4_all.deb
 390dbf6cee51d388371720b9c14313ab 33818 java optional 
tomcat8-user_8.0.14-1+deb8u4_all.deb
 0adaf59156eab95073f01f0e53261490 4585858 java optional 
libtomcat8-java_8.0.14-1+deb8u4_all.deb
 07987c93c5cb5a372ccef3969662ee87 391180 java optional 
libservlet3.1-java_8.0.14-1+deb8u4_all.deb
 9cffc9aaa7787ef935fa639a6774a6ea 246386 doc optional 
libservlet3.1-java-doc_8.0.14-1+deb8u4_all.deb
 05d7f65566a92e2f9b506fc05d2d57ea 35118 java optional 
tomcat8-admin_8.0.14-1+deb8u4_all.deb
 356d02452c487c82594a9f87f3ac370d 193542 java optional 
tomcat8-examples_8.0.14-1+deb8u4_all.deb
 b36f6f0dc9b9dfb2c0c0d25352353cc3 688292 doc optional 
tomcat8-docs_8.0.14-1+deb8u4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYLWQ6AAoJEPUTxBnkudCsAFAP/3aYeR+sQQy4qFgt3LyfTCGJ
ZzrfVYfK4DR30H93lmoTQQxkeF7W9Uw56x66vLab+x+26cIr6tsJaro2ltrEESV0
qUcjo8RfjYnvg03jmcKHg1hbFcJzRE77lmsXebv5XYV43bCqnMctdGoJRVdquNug
IHWuPmZ2154AppLdrzjEjY0G74bV4/QX5TPXCbE8aOh4r8cyVVjCThQh6vwloYzG
P8jQ7Tr8U5CUd+aApM1AHyMM66NMbMowGdLsJAsPcf1o2e+biXBbhT13R8lwhtw1
mK3h/z4aFesQwJkWfjADY7kM3rf0F4iS6xv8BPEdDuCCsY0cGa411CmHT94X9n/B
lN/TrasGjuMhODUoSCo2WnAdST6EfxPKfokUXYggSllq/gJVjMbmm2EQCw3P4dcU
fmtHlP1Y7MIEbDSdRUCTJhitcFTpresQKLwme1i7Tc0JsGGcKv8sc+6ucDCS+qZT
CGFKhcM5Og2wihU2scCix62+518RN/lwyjQhPG8Wa0YLxjdYHHeCZpjv67JxY1jq
rEmmezYdNpGSnvACa56Jr2/s/8tb2x/iuHf1/TXHYCpYSWYKoNj99TrwOSxwkmwh
86N5rVbWzMR8QnIeNHV5lsO1PjjUXCjbIGxPHNMZ+KWNwU7anxIKECpv/4jK0GtD
P3T8FclkRr3wIhVb0dX0
=M5GD
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to