passenger 4.0.4 → 4.0.5

data.tar.gz.asc

@@ -2,11 +2,11 @@
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 
-iQEcBAABAgAGBQJRo8yCAAoJECrHRaUKISqMlDcH+gJX2c+V84Rj7ZqJDWegW3DL
-Ve1y0leJszFGTxU5IO8HdbqlPeJNeoBzIoLrzPxb4cOhGvhvoQLATsm4oPup1hG9
-ZXen2bpAdZL+e/r6CoVcK1Ft4PjVfBzBlF91SE1yAx1VCNexcTPbkXsBjZbFOujR
-oE5U5p2YgmydxQE6LjEG7ipNbEJrQrfQJ3l32L8OYAAmlBHWO2DFfm9UE6FPBUgj
-KXgUmFUHvnfrXuO+3KaV1L9YsWMUe/jo4QjafOS5jFoKh3jUjHz4bJfkcAeSR+eb
-/XxJor58BsuOX5IUOQj9koM2WZj8Tc18YHncY6pmG/o6jTlO9xKO9cotYwMYSKQ=
-=RoSQ
+iQEcBAABAgAGBQJRpgpHAAoJECrHRaUKISqMmNkIAIbfyHTRn7w8hubsVIbNhaTn
+wbgIkDW2N7y9RQXCtjiCp8niJB5J0nguVsrU+vykoEPcQ8YVsDeo2OMrnWqZOQ3Y
+k94g/ZDDXg+g9FkaQ/6U1B0au48qqwJVquBz6rL8awkgWd8yve6UAO9i5Oum3YWz
+tuj1abiJxxZOOKhu6lGSe51nephHG35BUh0eNtO/PQCDptfjNBnEmDTmZL1xs3GM
+W/lwx8q4AQJU4gpA31qtRDDP7GSL/2OKE0rBUfXSaMF88X3SotNr+ohZSUm6siHG
+4R2m469J8+RBNOnjNY6xILrrC+/WYM5G5GTKtjP8lwL6RD5xJ9JtyEOuYT0UrAc=
+=TDNl
 -----END PGP SIGNATURE-----

data/NEWS

@@ -1,3 +1,32 @@
+Release 4.0.5
+-------------
+
+ * [Standalone] Fixed a regression that prevented Passenger Standalone
+   from starting. Fixes issue #899.
+ * Fixed security vulnerability CVE-2013-2119.
+
+   Urgency: low
+   Scope: local exploit
+   Summary: denial of service and arbitrary code execution by hijacking temp files
+   Affected versions: all versions
+   Fixed versions: 3.0.21 and 4.0.5
+
+   Description:
+   Phusion Passenger's code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.
+
+   By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).
+
+   By pre-creating certain temporary files with certain other permissions, attackers can trick `passenger start` and the build system (which is invoked by `passenger-install-apache2-module`/`passenger-install-nginx-module`) to run arbitrary code. The user that the code is run as, is equal to the user that ran `passenger start` or the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context of `passenger start`, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable. `passenger stop` and other Passenger Standalone commands besides `start` are not vulnerable. In the context of the build system, the vulnerable window begins when `passenger-install-apache2-module`/`passenger-install-nginx-module` prints its first dependency checking message, and ends when it prints the first compiler command.
+
+   Only the `passenger start` command, the `passenger-install-apache2-module` command and the `passenger-install-nginx-module` commands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.
+
+   Fixed versions:
+   3.0.21 and 4.0.5 have been released to address this issue.
+
+   Workaround:
+   You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set the `TMPDIR` environment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with `-E`, or you must set the environment variable after gaining root privileges with sudo.
+
+
 Release 4.0.4
 -------------
 
@@ -221,12 +250,16 @@ This is the first beta of Phusion Passenger 4. The changes are numerous.
  * Better relocatability without wasting space.
 
 
-Release 3.0.20
+Release 3.0.21
 --------------
 
  * Rebootstrapped the libev configure to fix compilation problems on Solaris 11.
  * Fixed support for RVM mixed mode installations. Fixes issue #828.
  * Fixed encoding problems in Phusion Passenger Standalone.
+ * Changed preferred Nginx version to 1.2.9.
+ * Catch exceptions raised by Rack application objects.
+ * Fix for CVE-2013-2119. Details can be found in the announcement for version 4.0.5.
+ * Version 3.0.20 was pulled because its fixes were incomplete.
 
 
 Release 3.0.19

data/bin/passenger-install-nginx-module

@@ -32,6 +32,7 @@ require 'optparse'
 require 'fileutils'
 require 'phusion_passenger/platform_info/ruby'
 require 'phusion_passenger/abstract_installer'
+require 'phusion_passenger/utils/tmpio'
 
 class Installer < PhusionPassenger::AbstractInstaller
 	include PhusionPassenger
@@ -122,14 +123,12 @@ class Installer < PhusionPassenger::AbstractInstaller
 	def before_install
 		super
 		myself = `whoami`.strip
-		@working_dir = "/tmp/#{myself}-passenger-#{Process.pid}"
-		FileUtils.rm_rf(@working_dir)
-		FileUtils.mkdir_p(@working_dir)
+		@working_dir = PhusionPassenger::Utils.mktmpdir("passenger.", PlatformInfo.tmpexedir)
 	end
 	
 	def after_install
 		super
-		FileUtils.rm_rf(@working_dir)
+		FileUtils.remove_entry_secure(@working_dir) if @working_dir
 	end
 
 private

data/build/common_library.rb

@@ -207,7 +207,8 @@ end
 # If you add a new shared definition file, don't forget to update
 # lib/phusion_passenger/packaging.rb!
 
-file 'ext/common/Constants.h' => ['ext/common/Constants.h.erb', 'lib/phusion_passenger/constants.rb'] do
+dependencies = ['ext/common/Constants.h.erb', 'lib/phusion_passenger.rb', 'lib/phusion_passenger/constants.rb']
+file 'ext/common/Constants.h' => dependencies do
 	require 'phusion_passenger/constants'
 	template = TemplateRenderer.new('ext/common/Constants.h.erb')
 	template.render_to('ext/common/Constants.h')

data/ext/common/Constants.h

@@ -70,7 +70,7 @@
 
 	#define PROCESS_SHUTDOWN_TIMEOUT_DISPLAY "1 minute"
 
-	#define PASSENGER_VERSION "4.0.3"
+	#define PASSENGER_VERSION "4.0.5"
 
 	#define SERVER_INSTANCE_DIR_STRUCTURE_MAJOR_VERSION 1
 

data/lib/phusion_passenger.rb

@@ -29,7 +29,7 @@ module PhusionPassenger
 	###### Version numbers ######
 	
 	PACKAGE_NAME = 'passenger'
-	VERSION_STRING = '4.0.4'
+	VERSION_STRING = '4.0.5'
 	
 	PREFERRED_NGINX_VERSION = '1.4.1'
 	NGINX_SHA256_CHECKSUM = 'bca5d1e89751ba29406185e1736c390412603a7e6b604f5b4575281f6565d119'

data/lib/phusion_passenger/admin_tools/server_instance.rb

@@ -111,7 +111,7 @@ class ServerInstance
 		instances = []
 		
 		Dir["#{AdminTools.tmpdir}/passenger.*"].each do |dir|
-			next if File.basename(dir) !~ /passenger\.#{PhusionPassenger::SERVER_INSTANCE_DIR_STRUCTURE_MAJOR_VERSION}\.(\d+)\.(\d+)\Z/
+			next if File.basename(dir) !~ /passenger\.#{PhusionPassenger::SERVER_INSTANCE_DIR_STRUCTURE_MAJOR_VERSION}\.(\d+)\.(.+)\Z/
 			minor = $1
 			next if minor.to_i > PhusionPassenger::SERVER_INSTANCE_DIR_STRUCTURE_MINOR_VERSION
 			

data/lib/phusion_passenger/constants.rb

@@ -67,5 +67,7 @@ module PhusionPassenger
 		FEEDBACK_FD = 3
 	end
 
-	include SharedConstants
+	SharedConstants.constants.each do |name|
+		const_set(name, SharedConstants.const_get(name)) unless const_defined? name
+	end
 end

data/lib/phusion_passenger/platform_info.rb

@@ -21,6 +21,8 @@
 #  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 #  THE SOFTWARE.
 
+require 'phusion_passenger/utils/tmpio'
+
 module PhusionPassenger
 
 # This module autodetects various platform-specific information, and
@@ -149,20 +151,18 @@ private
 	private_class_method :reindent
 
 	def self.create_temp_file(name, dir = tmpdir)
-		tag = "#{Process.pid}.#{Thread.current.object_id.to_s(16)}"
-		if name =~ /\./
-			ext = File.extname(name)
-			name = File.basename(name, ext) + "-#{tag}#{ext}"
-		else
-			name = "#{name}-#{tag}"
-		end
-		filename = "#{dir}/#{name}"
-		f = File.open(filename, "w")
-		begin
-			yield(filename, f)
-		ensure
-			f.close if !f.closed?
-			File.unlink(filename) if File.exist?(filename)
+		# This function is mostly used for compiling C programs to autodetect
+		# system properties. We create a secure temp subdirectory to prevent
+		# TOCTU attacks, especially because we don't know how the compiler
+		# handles this.
+		PhusionPassenger::Utils.mktmpdir("passenger.", dir) do |subdir|
+			filename = "#{subdir}/#{name}"
+			f = File.open(filename, "w")
+			begin
+				yield(filename, f)
+			ensure
+				f.close if !f.closed?
+			end
 		end
 	end
 	private_class_method :create_temp_file

data/lib/phusion_passenger/platform_info/apache.rb

@@ -279,16 +279,8 @@ module PlatformInfo
 	# headers are placed into the same directory as the Apache headers,
 	# and so 'apr-config' and 'apu-config' won't be necessary in that case.
 	def self.apr_config_needed_for_building_apache_modules?
-		filename = File.join("#{tmpexedir}/passenger-platform-check-#{Process.pid}.c")
-		File.open(filename, "w") do |f|
-			f.puts("#include <apr.h>")
-		end
-		begin
-			return !system("(gcc #{apache2_module_cflags(false)} -c '#{filename}' -o '#{filename}.o') >/dev/null 2>/dev/null")
-		ensure
-			File.unlink(filename) rescue nil
-			File.unlink("#{filename}.o") rescue nil
-		end
+		return !try_compile("whether APR is needed for building Apache modules",
+			:c, "#include <apr.h>\n", apache2_module_cflags(false))
 	end
 	memoize :apr_config_needed_for_building_apache_modules?
 

data/lib/phusion_passenger/standalone/command.rb

@@ -180,9 +180,15 @@ private
 	
 	def write_nginx_config_file
 		require 'phusion_passenger/platform_info/ruby'
-		ensure_directory_exists(@temp_dir)
+		require 'phusion_passenger/utils/tmpio'
+		@temp_dir        = PhusionPassenger::Utils.mktmpdir(
+			"passenger.#{SERVER_INSTANCE_DIR_STRUCTURE_MAJOR_VERSION}.#{SERVER_INSTANCE_DIR_STRUCTURE_MINOR_VERSION}.",
+			"/tmp")
+		@config_filename = "#{@temp_dir}/config"
+		location_config_filename = "#{@temp_dir}/locations.ini"
+		File.chmod(0755, @temp_dir)
 		
-		File.open(@location_config_filename, 'w') do |f|
+		File.open(location_config_filename, 'w') do |f|
 			f.puts '[locations]'
 			f.puts "natively_packaged=false"
 			f.puts "bin=#{PhusionPassenger.bin_dir}"
@@ -200,7 +206,7 @@ private
 			f.puts "apache2_module=#{PhusionPassenger.apache2_module_path}"
 			f.puts "ruby_extension_source=#{PhusionPassenger.ruby_extension_source_dir}"
 		end
-		puts File.read(@location_config_filename) if debugging?
+		puts File.read(location_config_filename) if debugging?
 		
 		File.open(@config_filename, 'w') do |f|
 			f.chmod(0644)
@@ -238,9 +244,6 @@ private
 	def create_nginx_controller(extra_options = {})
 		require_daemon_controller
 		require 'socket' unless defined?(UNIXSocket)
-		@temp_dir        = "/tmp/passenger.#{SERVER_INSTANCE_DIR_STRUCTURE_MAJOR_VERSION}.#{SERVER_INSTANCE_DIR_STRUCTURE_MINOR_VERSION}.#{$$}"
-		@config_filename = "#{@temp_dir}/config"
-		@location_config_filename = "#{@temp_dir}/locations.ini"
 		if @options[:socket_file]
 			ping_spec = [:unix, @options[:socket_file]]
 		else

data/lib/phusion_passenger/standalone/runtime_installer.rb

@@ -30,6 +30,7 @@ require 'phusion_passenger/common_library'
 require 'phusion_passenger/platform_info/ruby'
 require 'phusion_passenger/platform_info/binary_compatibility'
 require 'phusion_passenger/standalone/utils'
+require 'phusion_passenger/utils/tmpio'
 
 module PhusionPassenger
 module Standalone
@@ -199,16 +200,14 @@ protected
 	def before_install
 		super
 		@plugin.call_hook(:runtime_installer_start, self) if @plugin
-		@working_dir = "#{PlatformInfo.tmpexedir}/#{myself}-passenger-standalone-#{Process.pid}"
-		FileUtils.rm_rf(@working_dir)
-		FileUtils.mkdir_p(@working_dir)
+		@working_dir = PhusionPassenger::Utils.mktmpdir("passenger.", PlatformInfo.tmpexedir)
 		@download_binaries = true if !defined?(@download_binaries)
 		@binaries_url_root ||= STANDALONE_BINARIES_URL_ROOT
 	end
 
 	def after_install
 		super
-		FileUtils.rm_rf(@working_dir)
+		FileUtils.remove_entry_secure(@working_dir) if @working_dir
 		@plugin.call_hook(:runtime_installer_cleanup) if @plugin
 	end
 

data/lib/phusion_passenger/standalone/start_command.rb

@@ -105,7 +105,7 @@ class StartCommand < Command
 		end
 	ensure
 		if @temp_dir
-			FileUtils.rm_rf(@temp_dir) rescue nil
+			FileUtils.remove_entry_secure(@temp_dir) rescue nil
 		end
 		@plugin.call_hook(:cleanup)
 	end

data/lib/phusion_passenger/utils/tmpio.rb

@@ -29,5 +29,40 @@ class TmpIO < File
   end unless File.method_defined?(:size)
 end
 
+# Like Dir.mktmpdir, but creates shorter filenames.
+def self.mktmpdir(prefix_suffix=nil, tmpdir=nil)
+  case prefix_suffix
+  when nil
+    prefix = "d"
+    suffix = ""
+  when String
+    prefix = prefix_suffix
+    suffix = ""
+  when Array
+    prefix = prefix_suffix[0]
+    suffix = prefix_suffix[1]
+  else
+    raise ArgumentError, "unexpected prefix_suffix: #{prefix_suffix.inspect}"
+  end
+  tmpdir ||= Dir.tmpdir
+  begin
+    path = "#{tmpdir}/#{prefix}#{rand(0x100000000).to_s(36)}"
+    path << suffix
+    Dir.mkdir(path, 0700)
+  rescue Errno::EEXIST
+    retry
+  end
+
+  if block_given?
+    begin
+      yield path
+    ensure
+      FileUtils.remove_entry_secure path
+    end
+  else
+    path
+  end
+end
+
 end # module Utils
 end # module PhusionPassenger

data/resources/templates/standalone/config.erb

@@ -10,10 +10,12 @@ worker_processes 1;
 daemon on;
 error_log '<%= @options[:log_file] %>' <% if debugging? %>info<% end %>;
 pid '<%= @options[:pid_file] %>';
-<% if @options[:user] %>
-    user <%= @options[:user] %> <%= default_group_for(@options[:user]) %>;
-<% else %>
-    user <%= current_user %> <%= default_group_for(current_user) %>;
+<% if Process.euid == 0 %>
+    <% if @options[:user] %>
+        user <%= @options[:user] %> <%= default_group_for(@options[:user]) %>;
+    <% else %>
+        user <%= current_user %> <%= default_group_for(current_user) %>;
+    <% end %>
 <% end %>
 
 events {
@@ -24,7 +26,7 @@ http {
     log_format debug '[$time_local] $msec  "$request" $status conn=$connection sent=$bytes_sent body_sent=$body_bytes_sent';
     include '<%= PhusionPassenger.resources_dir %>/mime.types';
     passenger_ruby <%= PlatformInfo.ruby_command %>;
-    passenger_root '<%= @location_config_filename %>';
+    passenger_root '<%= location_config_filename %>';
     passenger_ctl server_instance_dir '<%= @temp_dir %>';
     passenger_abort_on_startup_error on;
     passenger_user_switching off;

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: passenger
 version: !ruby/object:Gem::Version
-  version: 4.0.4
+  version: 4.0.5
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-27 00:00:00.000000000 Z
+date: 2013-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake

metadata.gz.asc

@@ -2,11 +2,11 @@
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 
-iQEcBAABAgAGBQJRo8yCAAoJECrHRaUKISqMSDkH/RxWUudgepdJIx2wDNN1YwMG
-QiHESwcQu9ZcgtSdHsc6BeexfFRTKs8PUatUHikJoOtZI4AOIpozk6RWC+qxC5uO
-5OetfgbH1sDc+TnwJP2Ev49DEcNFAvbSTC5/dw6c8yvACwiwU/uwI+6RDIZ1B0kT
-F2iq6LIqxtRsOdd8RWPDnFkrgA9YWtHwcjbXxG3mrL/i2pYghkRukKEkmDpR7P6a
-6SV6wtqWm2IfcGskLIEd/rGNKnZUiRRpLTjY5wuxArUJSr6h6J5W0c9XOv3xQSHL
-d40LIN7xtSZ5Ju/1K1G+6E+UZwrM0JVyN8td7wbQKLYX+449/WbAwJJueuG3wBQ=
-=kL76
+iQEcBAABAgAGBQJRpgpHAAoJECrHRaUKISqMaUsH/36pNJGxryARsxpddPgRmhUh
+iilOVBDcfD8kun8/OUdfaAdabr3AXsRJsTzYAeac7SM+6FQ2h7rPKOK4eyQCICPm
+bgJ82TXu/TGbiSvzXrNGTg8Lx+xg0p+kv8jhbLN5zZoXFVPbFv0O6A6T8ExU7Fbr
+qNJPFAMdnIN2X4qx6wbCz8mcUDuq8LrQ7wp85+WrsvTam9t6H3MHEnrewC25DTrD
+hlay1dc7o1rb98Skz16rLdoPMiAO7VpBHzxpRBnarnnS0okHNLKzmNEyLGEwuUwj
+WTptq1vvism04T/tY0+m0RZvc8Ev58ydWH6O2ZsI3M6Zu5iZkWqtBj+jU0oZcZQ=
+=nU+e
 -----END PGP SIGNATURE-----