Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
rubygem-passenger.7794
CVE-2018-12029.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-12029.patch of Package rubygem-passenger.7794
From 207870f5b7f5cc240587ab0977d6046782ae1d86 Mon Sep 17 00:00:00 2001 From: Camden Narzt <c.narzt@me.com> Date: Mon, 14 May 2018 08:34:12 -0600 Subject: [PATCH] Fix privilege escalation in the Nginx module The vulnerability is exploitable with a non-standard passenger_instance_registry_dir, via a race condition where after a file was created, it was chowned via the path not the file descriptor. The chown entered the code in 2010, so Passenger 4 + 5 all affected. --- src/nginx_module/ngx_http_passenger_module.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) Index: ext/nginx/ngx_http_passenger_module.c =================================================================== --- ext/nginx/ngx_http_passenger_module.c.orig 2018-06-19 13:23:14.948527690 +0200 +++ ext/nginx/ngx_http_passenger_module.c 2018-06-19 13:56:16.452864245 +0200 @@ -204,7 +204,7 @@ starting_watchdog_after_fork(void *arg) } static ngx_int_t -create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len) { +create_file(ngx_cycle_t *cycle, const u_char *filename, const u_char *contents, size_t len, uid_t uid, gid_t gid) { FILE *f; int ret; size_t total_written = 0, written; @@ -219,6 +219,9 @@ create_file(ngx_cycle_t *cycle, const u_ ret = fchmod(fileno(f), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); } while (ret == -1 && errno == EINTR); do { + ret = fchown(fileno(f), uid, gid); + } while (ret == -1 && errno == EINTR); + do { written = fwrite(contents + total_written, 1, len - total_written, f); total_written += written; @@ -346,13 +349,10 @@ start_watchdog(ngx_cycle_t *cycle) { "%s/web_server_control_process.pid", pp_agents_starter_get_instance_dir(pp_agents_starter, NULL)); *last = (u_char) '\0'; - if (create_file(cycle, filename, (const u_char *) "", 0) != NGX_OK) { + if (create_file(cycle, filename, (const u_char *) "", 0, (uid_t) core_conf->user, (gid_t) -1) != NGX_OK) { result = NGX_ERROR; goto cleanup; } - do { - ret = chown((const char *) filename, (uid_t) core_conf->user, (gid_t) -1); - } while (ret == -1 && errno == EINTR); if (ret == -1) { result = NGX_ERROR; goto cleanup;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor