Fix security bug 477462 with a fix backported in redhat bug 985633.

(Portage version: 2.2.1/cvs/Linux x86_64, signed Manifest commit with key 0x8883FA56A308A8D7!)

3 files changed, 247 insertions, 1 deletions

diff --git a/www-apache/passenger/ChangeLog b/www-apache/passenger/ChangeLog
index 3748e1f5cef4..1f9c72eb0a1e 100644
--- a/www-apache/passenger/ChangeLog
+++ b/www-apache/passenger/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for www-apache/passenger
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apache/passenger/ChangeLog,v 1.70 2013/10/05 13:29:23 graaff Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apache/passenger/ChangeLog,v 1.71 2013/10/05 14:17:38 graaff Exp $
+
+*passenger-3.0.21-r1 (05 Oct 2013)
+
+  05 Oct 2013; Hans de Graaff <graaff@gentoo.org> +passenger-3.0.21-r1.ebuild,
+  +files/passenger-3.0.21-temp-file-usage.patch:
+  Fix security bug 477462 with a fix backported in redhat bug 985633.
 
 *passenger-4.0.18 (05 Oct 2013)
 
diff --git a/www-apache/passenger/files/passenger-3.0.21-temp-file-usage.patch b/www-apache/passenger/files/passenger-3.0.21-temp-file-usage.patch
new file mode 100644
index 000000000000..54f227f78c6b
--- /dev/null
+++ b/www-apache/passenger/files/passenger-3.0.21-temp-file-usage.patch
@@ -0,0 +1,140 @@
+--- passenger-release-3.0.21.orig/ext/common/LoggingAgent/Main.cpp	2013-05-29 07:09:31.000000000 -0500
++++ passenger-release-3.0.21.orig/ext/common/LoggingAgent/Main.cpp	2013-07-18 09:35:47.514433743 -0500
+@@ -265,11 +265,6 @@ main(int argc, char *argv[]) {
+ 		ev::sig sigtermWatcher(eventLoop);
+ 		ev::sig sigquitWatcher(eventLoop);
+ 		
+-		if (feedbackFdAvailable()) {
+-			feedbackFdWatcher.set<&feedbackFdBecameReadable>();
+-			feedbackFdWatcher.start(FEEDBACK_FD, ev::READ);
+-			writeArrayMessage(FEEDBACK_FD, "initialized", NULL);
+-		}
+ 		sigintWatcher.set<&caughtExitSignal>();
+ 		sigintWatcher.start(SIGINT);
+ 		sigtermWatcher.set<&caughtExitSignal>();
+@@ -281,6 +276,11 @@ main(int argc, char *argv[]) {
+ 		/********** Initialized! Enter main loop... **********/
+ 		
+ 		P_DEBUG("Logging agent online, listening at " << socketAddress);
++		if (feedbackFdAvailable()) {
++			feedbackFdWatcher.set<&feedbackFdBecameReadable>();
++			feedbackFdWatcher.start(FEEDBACK_FD, ev::READ);
++			writeArrayMessage(FEEDBACK_FD, "initialized", NULL);
++		}
+ 		ev_loop(eventLoop, 0);
+ 		return exitCode;
+ 	} catch (const tracable_exception &e) {
+--- passenger-release-3.0.21.orig/ext/common/ServerInstanceDir.h	2013-05-29 07:09:31.000000000 -0500
++++ passenger-release-3.0.21.orig/ext/common/ServerInstanceDir.h	2013-07-18 09:38:54.431808622 -0500
+@@ -30,6 +30,7 @@ 
+ #include <oxt/backtrace.hpp>
+ 
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #include <dirent.h>
+ #include <unistd.h>
+ #include <pwd.h>
+@@ -38,6 +39,7 @@ 
+ #include <cstring>
+ #include <string>
+ 
++#include <Logging.h> 
+ #include "Exceptions.h"
+ #include "Utils.h"
+ #include "Utils/StrIntUtils.h"
+@@ -217,7 +219,69 @@ private:
+ 		 * rights though, because we want admin tools to be able to list the available
+ 		 * generations no matter what user they're running as.
+ 		 */
+-		makeDirTree(path, "u=rwxs,g=rx,o=rx");
++		if (owner) {
++			switch (getFileType(path)) {
++			case FT_NONEXISTANT:
++				createDirectory(path);
++				break;
++			case FT_DIRECTORY:
++				verifyDirectoryPermissions(path);
++				break;
++			default:
++				throw RuntimeException("'" + path + "' already exists, and is not a directory");
++			}
++		} else if (getFileType(path) != FT_DIRECTORY) {
++			throw RuntimeException("Server instance directory '" + path +
++				"' does not exist");
++		}
++	}
++
++	void createDirectory(const string &path) const {
++		// We do not use makeDirTree() here. If an attacker creates a directory
++		// just before we do, then we want to abort because we want the directory
++		// to have specific permissions.
++		if (mkdir(path.c_str(), parseModeString("u=rwx,g=rx,o=rx")) == -1) {
++			int e = errno;
++			throw FileSystemException("Cannot create server instance directory '" +
++				path + "'", e, path);
++		}
++		// verifyDirectoryPermissions() checks for the owner/group so we must make
++		// sure the server instance directory has that owner/group, even when the
++		// parent directory has setgid on.
++		if (chown(path.c_str(), geteuid(), getegid()) == -1) {
++			int e = errno;
++			throw FileSystemException("Cannot change the permissions of the server "
++				"instance directory '" + path + "'", e, path);
++		}
++	}
++
++	/**
++	 * When reusing an existing server instance directory, check permissions
++	 * so that an attacker cannot pre-create a directory with too liberal
++	 * permissions.
++	 */
++	void verifyDirectoryPermissions(const string &path) {
++		TRACE_POINT();
++		struct stat buf;
++
++		if (stat(path.c_str(), &buf) == -1) {
++			int e = errno;
++			throw FileSystemException("Cannot stat() " + path, e, path);
++		} else if (buf.st_mode != (S_IFDIR | parseModeString("u=rwx,g=rx,o=rx"))) {
++			throw RuntimeException("Tried to reuse existing server instance directory " +
++				path + ", but it has wrong permissions");
++		} else if (buf.st_uid != geteuid() || buf.st_gid != getegid()) {
++			/* The server instance directory is always created by the Watchdog. Its UID/GID never
++			 * changes because:
++			 * 1. Disabling user switching only lowers the privilege of the HelperAgent.
++			 * 2. For the UID/GID to change, the web server must be completely restarted
++			 *    (not just graceful reload) so that the control process can change its UID/GID.
++			 *    This causes the PID to change, so that an entirely new server instance
++			 *    directory is created.
++			 */
++			throw RuntimeException("Tried to reuse existing server instance directory " +
++				path + ", but it has wrong owner and group");
++		}
+ 	}
+ 	
+ 	bool isDirectory(const string &dir, struct dirent *entry) const {
+--- passenger-release-3.0.21.orig/NEWS	2013-05-29 07:09:31.000000000 -0500
++++ passenger-release-3.0.21.orig/NEWS	2013-07-18 08:58:30.943558375 -0500
+@@ -8,6 +8,7 @@ Release 3.0.21
+  * Catch exceptions raised by Rack application objects.
+  * Fix for CVE-2013-2119. Details can be found in the announcement for version 4.0.5.
+  * Version 3.0.20 was pulled because its fixes were incomplete.
++ * Fix for CVE-2013-4136. Details can be found in the announcement for version 4.0.8.
+ 
+ 
+ Release 3.0.19
+--- passenger-release-3.0.21.orig/test/cxx/ServerInstanceDirTest.cpp	2013-05-29 07:09:31.000000000 -0500
++++ passenger-release-3.0.21.orig/test/cxx/ServerInstanceDirTest.cpp	2013-07-18 09:09:50.898433782 -0500
+@@ -73,9 +73,11 @@ namespace tut {
+ 	}
+ 	
+ 	TEST_METHOD(5) {
+-		// The destructor doesnn't remove the server instance directory if it
++		// The destructor doesn't remove the server instance directory if it
+ 		// wasn't created with the ownership flag or if it's been detached.
+ 		string path, path2;
++		makeDirTree(parentDir + "/passenger-test.1234");
++		makeDirTree(parentDir + "/passenger-test.5678");
+ 		{
+ 			ServerInstanceDir dir(1234, parentDir, false);
+ 			ServerInstanceDir dir2(5678, parentDir);
diff --git a/www-apache/passenger/passenger-3.0.21-r1.ebuild b/www-apache/passenger/passenger-3.0.21-r1.ebuild
new file mode 100644
index 000000000000..95872631a5a2
--- /dev/null
+++ b/www-apache/passenger/passenger-3.0.21-r1.ebuild
@@ -0,0 +1,100 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apache/passenger/passenger-3.0.21-r1.ebuild,v 1.1 2013/10/05 14:17:38 graaff Exp $
+
+EAPI=5
+USE_RUBY="ruby18 ruby19"
+
+inherit apache-module flag-o-matic ruby-ng toolchain-funcs
+
+DESCRIPTION="Passenger (a.k.a. mod_rails) makes deployment of Ruby on Rails applications a breeze"
+HOMEPAGE="http://modrails.com/"
+SRC_URI="mirror://rubyforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="debug doc"
+
+ruby_add_bdepend "dev-ruby/rake"
+
+ruby_add_rdepend "
+	>=dev-ruby/daemon_controller-1.0.0
+	>=dev-ruby/rack-1.0.0"
+
+USE_RUBY="ruby18" ruby_add_rdepend ">=dev-ruby/fastthread-1.0.1"
+
+CDEPEND=">=dev-libs/libev-3.90 net-misc/curl[ssl]"
+
+RDEPEND="${RDEPEND} ${CDEPEND}"
+DEPEND="${DEPEND} ${CDEPEND}
+	doc? ( >=app-text/asciidoc-8.6.5[highlight] )"
+
+APACHE2_MOD_CONF="30_mod_${PN}-2.0.1 30_mod_${PN}"
+APACHE2_MOD_DEFINE="PASSENGER"
+
+REQUIRED_USE+=" ruby_targets_ruby18? ( !ruby_targets_ruby19 )
+	ruby_targets_ruby19? ( !ruby_targets_ruby18 )"
+
+need_apache2
+
+pkg_setup() {
+	use debug && append-flags -DPASSENGER_DEBUG
+}
+
+all_ruby_prepare() {
+	epatch "${FILESDIR}"/${PN}-3.0.8-gentoo.patch
+	epatch "${FILESDIR}"/${PN}-3.0.12-ldflags.patch
+	epatch "${FILESDIR}"/${P}-temp-file-usage.patch
+
+	# Change these with sed instead of a patch so that we can easily use
+	# the toolchain-funcs methods.
+	sed -i -e "s/gcc/$(tc-getCC)/" -e "s/g++/$(tc-getCXX)/" build/config.rb || die
+
+	# Use sed here so that we can dynamically set the documentation directory.
+	sed -i -e "s:/usr/share/doc/phusion-passenger:/usr/share/doc/${P}:" \
+		-e "s:/usr/lib/apache2/modules/mod_passenger.so:${APACHE_MODULESDIR}/mod_passenger.so:" \
+		-e "s:/usr/lib/phusion-passenger/agents:/usr/libexec/phusion-passenger/agents:" \
+		lib/phusion_passenger.rb || die
+	sed -i -e "s:/usr/lib/phusion-passenger/agents:/usr/libexec/phusion-passenger/agents:" ext/common/ResourceLocator.h || die
+
+	# Don't install a tool that won't work in our setup.
+	sed -i -e '/passenger-install-apache2-module/d' lib/phusion_passenger/packaging.rb || die
+	rm -f bin/passenger-install-apache2-module || die "Unable to remove unneeded install script."
+
+	# Make sure we use the system-provided version.
+	rm -rf ext/libev || die "Unable to remove vendored libev."
+
+	# fix automagic use of asciidoc, bug 413469
+	sed -i -e '/fakeroot/ s/+ Packaging::ASCII_DOCS//' build/packaging.rb || die
+
+	# The gempackagetask does not work with rubygems 2.0, but we don't
+	# need it the changed builder component.
+	sed -i -e '/rubygems\/builder/ s:^:#:' build/gempackagetask.rb || die
+}
+
+each_ruby_compile() {
+	append-flags -fno-strict-aliasing
+
+	APXS2="${APXS}" \
+	HTTPD="${APACHE_BIN}" \
+	USE_VENDORED_LIBEV="no" LIBEV_LIBS="-lev" \
+	rake apache2 native_support || die "rake failed"
+
+	if use doc; then
+		rake doc || die "rake doc failed"
+	fi
+}
+
+each_ruby_install() {
+	DISTDIR="${D}" \
+	APXS2="${APXS}" \
+	HTTPD="${APACHE_BIN}" \
+	USE_VENDORED_LIBEV="no" LIBEV_LIBS="-lev" \
+	rake fakeroot || die "rake failed"
+
+	# TODO: this will create a mess when multiple RUBY_TARGETS have been
+	# selected.
+	APACHE2_MOD_FILE="${S}/ext/apache2/mod_${PN}.so"
+	apache-module_src_install
+}