Package: libapache2-mod-wsgi Version: 3.3-4 Severity: critical Tags: security Justification: root security hole
Dear Maintainer, as far as I can tell, CVE-2014-0240 affects the stable package of mod-wsgi. The patch provided by the mod-wsgi team applies wih fuzzing to the source shipped by debian. If a kernel >= 2.6.0 and < 3.1.0 is installed, this issue might allow local privilege escalation -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschäftsführer: Oliver Michel, Sven Walther
commit d9d5fea585b23991f76532a9b07de7fcd3b649f4
Author: Graham Dumpleton <graham.dumple...@gmail.com>
Date: Wed May 21 16:16:47 2014 +1000
Local privilege escalation when using daemon mode. (CVE-2014-0240)
diff --git a/mod_wsgi.c b/mod_wsgi.c
index 32b2903..3ef911b 100644
--- a/mod_wsgi.c
+++ b/mod_wsgi.c
@@ -10756,6 +10756,19 @@ static void wsgi_setup_access(WSGIDaemonProcess *daemon)
ap_log_error(APLOG_MARK, WSGI_LOG_ALERT(errno), wsgi_server,
"mod_wsgi (pid=%d): Unable to change to uid=%ld.",
getpid(), (long)daemon->group->uid);
+
+ /*
+ * On true UNIX systems this should always succeed at
+ * this point. With certain Linux kernel versions though
+ * we can get back EAGAIN where the target user had
+ * reached their process limit. In that case will be left
+ * running as wrong user. Just exit on all failures to be
+ * safe. Don't die immediately to avoid a fork bomb.
+ */
+
+ sleep(20);
+
+ exit(-1);
}
/*
smime.p7s
Description: S/MIME Cryptographic Signature
