Bug#840685: marked as done (TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory)
Your message dated Wed, 23 Nov 2016 19:32:10 + with message-idand subject line Bug#840685: fixed in tomcat8 8.0.14-1+deb8u4 has caused the Debian Bug report #840685, regarding TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 840685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: tomcat8 Version: 8.0.14-1+deb8u3 Severity: critical Tags: security Justification: root security hole [ I contacted t...@security.debian.org about this, but no response ... ] Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so: ... NAME=tomcat8 ... JVM_TMP=/tmp/tomcat8-$NAME-tmp ... # Remove / recreate JVM_TMP directory rm -rf "$JVM_TMP" mkdir -p "$JVM_TMP" || { log_failure_msg "could not create JVM temporary directory" exit 1 } chown $TOMCAT8_USER "$JVM_TMP" ... That suffers from a TOCTOU race condition. An attacker can, after the "rm -rf", create a symlink to /etc. Then "mkdir -p" returns success (though does nothing); and chown follows the symlink. That is "game over": ability to replace /etc/passwd. The attacker can use inotify and act quickly, and have a good chance of winning the race to create the symlink before the init.d script starts a new mkdir process. Do you need some working PoC code? --- The script should be made more robust by using "chown -h". (This would protect against the above attack.) The script should use plain mkdir without "-p": not needed as we create a single directory, and should not be used to let mkdir return failure. (This may make it safe.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages tomcat8 depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii tomcat8-common 8.0.14-1+deb8u3 ii ucf3.0030 Versions of packages tomcat8 recommends: pn authbind Versions of packages tomcat8 suggests: pn libtcnative-1 pn tomcat8-admin pn tomcat8-docs pn tomcat8-examples pn tomcat8-user -- Configuration Files: /etc/init.d/tomcat8 changed [not included] /etc/tomcat8/catalina.properties [Errno 13] Permission denied: u'/etc/tomcat8/catalina.properties' /etc/tomcat8/context.xml [Errno 13] Permission denied: u'/etc/tomcat8/context.xml' /etc/tomcat8/logging.properties [Errno 13] Permission denied: u'/etc/tomcat8/logging.properties' /etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/01system.policy' /etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/02debian.policy' /etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/03catalina.policy' /etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/04webapps.policy' /etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/50local.policy' /etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml' /etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: u'/etc/tomcat8/tomcat-users.xml' /etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml' -- debconf information excluded --- End Message --- --- Begin Message --- Source: tomcat8 Source-Version: 8.0.14-1+deb8u4 We believe that the bug you reported is fixed in the latest version of tomcat8, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 840...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg (supplier of updated tomcat8 package) (This message was generated automatically at their request; if you
Bug#840685: marked as done (TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory)
Your message dated Wed, 19 Oct 2016 10:40:37 + with message-idand subject line Bug#840685: fixed in tomcat8 8.0.38-1 has caused the Debian Bug report #840685, regarding TOCTOU race condition in initscript on chown'ing JVM_TMP temporary directory to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 840685: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840685 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: tomcat8 Version: 8.0.14-1+deb8u3 Severity: critical Tags: security Justification: root security hole [ I contacted t...@security.debian.org about this, but no response ... ] Recently DSA-3670 was released, and /etc/init.d/tomcat8 modified so: ... NAME=tomcat8 ... JVM_TMP=/tmp/tomcat8-$NAME-tmp ... # Remove / recreate JVM_TMP directory rm -rf "$JVM_TMP" mkdir -p "$JVM_TMP" || { log_failure_msg "could not create JVM temporary directory" exit 1 } chown $TOMCAT8_USER "$JVM_TMP" ... That suffers from a TOCTOU race condition. An attacker can, after the "rm -rf", create a symlink to /etc. Then "mkdir -p" returns success (though does nothing); and chown follows the symlink. That is "game over": ability to replace /etc/passwd. The attacker can use inotify and act quickly, and have a good chance of winning the race to create the symlink before the init.d script starts a new mkdir process. Do you need some working PoC code? --- The script should be made more robust by using "chown -h". (This would protect against the above attack.) The script should use plain mkdir without "-p": not needed as we create a single directory, and should not be used to let mkdir return failure. (This may make it safe.) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.16.36-pk07.24-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages tomcat8 depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.56 ii tomcat8-common 8.0.14-1+deb8u3 ii ucf3.0030 Versions of packages tomcat8 recommends: pn authbind Versions of packages tomcat8 suggests: pn libtcnative-1 pn tomcat8-admin pn tomcat8-docs pn tomcat8-examples pn tomcat8-user -- Configuration Files: /etc/init.d/tomcat8 changed [not included] /etc/tomcat8/catalina.properties [Errno 13] Permission denied: u'/etc/tomcat8/catalina.properties' /etc/tomcat8/context.xml [Errno 13] Permission denied: u'/etc/tomcat8/context.xml' /etc/tomcat8/logging.properties [Errno 13] Permission denied: u'/etc/tomcat8/logging.properties' /etc/tomcat8/policy.d/01system.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/01system.policy' /etc/tomcat8/policy.d/02debian.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/02debian.policy' /etc/tomcat8/policy.d/03catalina.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/03catalina.policy' /etc/tomcat8/policy.d/04webapps.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/04webapps.policy' /etc/tomcat8/policy.d/50local.policy [Errno 13] Permission denied: u'/etc/tomcat8/policy.d/50local.policy' /etc/tomcat8/server.xml [Errno 13] Permission denied: u'/etc/tomcat8/server.xml' /etc/tomcat8/tomcat-users.xml [Errno 13] Permission denied: u'/etc/tomcat8/tomcat-users.xml' /etc/tomcat8/web.xml [Errno 13] Permission denied: u'/etc/tomcat8/web.xml' -- debconf information excluded --- End Message --- --- Begin Message --- Source: tomcat8 Source-Version: 8.0.38-1 We believe that the bug you reported is fixed in the latest version of tomcat8, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 840...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg (supplier of updated tomcat8 package) (This message was generated automatically at their request; if you believe that