Bug#928304: marked as done (groonga-httpd: Privilege escalation due to insecure use of logrotate (CVE-2019-11675))

[Debian Bug Tracking System]

Your message dated Thu, 09 May 2019 15:03:51 +0000
with message-id <e1hokan-0004lu...@fasolo.debian.org>
and subject line Bug#928304: fixed in groonga 9.0.1-2
has caused the Debian Bug report #928304,
regarding groonga-httpd: Privilege escalation due to insecure use of logrotate 
(CVE-2019-11675)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
928304: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: groonga-httpd
Version: 6.1.5-1
Severity: critical
Tags: security
Justification: root security hole

Dear Maintainer,

The path of the logdirectory of groonga-httpd can be manipulated by user
groonga:

ls -l /var/log/groonga
total 8
-rw-r--r-- 1 root    root    1296 Apr 25 18:44 groonga.log
drwxr-xr-x 2 groonga groonga 4096 Apr 25 18:55 httpd

The files in /var/log/groonga/httpd/*.log are once a day rotated by
logrotate as user root with the following config:

/var/log/groonga/httpd/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 640 groonga groonga
    sharedscripts
    postrotate
        . /etc/default/groonga-httpd
        if [ x"$ENABLE" = x"yes" ]; then
            /usr/bin/curl --silent --output /dev/null \
                "http://127.0.0.1:10041/d/log_reopen";
        fi
    endscript
}


Due to logrotate is prone to a race-condition(see the link to my
blog below) it is possible for user "groonga" to replace the
directory /var/log/groonga/httpd with a symbolik link to any
directory(for example /etc/bash_completion.d). logrotate will place
files AS ROOT into /etc/bash_completition.d and set the owner and
group to "groonga.groonga". An attacker could simply place a
reverse-shell into this file. As soon as root logs in, a reverse
shell will be executed then.

You can find an exploit for this bug at my blog:
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges

(This exploit won't work well with lvm or docker but works reliable
if the filesystem is directly on the disk)

Mitigation:

You could mitigate the problem by changing the owner and group of
/var/log/groonga to root, or by using the "su option" inside the
logrotate-configfile. 


-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages groonga-httpd depends on:
ii  curl                   7.52.1-5+deb9u9
ii  groonga-server-common  6.1.5-1
ii  init-system-helpers    1.48
ii  libc6                  2.24-11+deb9u4
ii  libgroonga0            6.1.5-1
ii  libpcre3               2:8.39-3
ii  libssl1.1              1.1.0j-1~deb9u1
ii  lsb-base               9.20161125
ii  zlib1g                 1:1.2.8.dfsg-5

groonga-httpd recommends no packages.

groonga-httpd suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: groonga
Source-Version: 9.0.1-2

We believe that the bug you reported is fixed in the latest version of
groonga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kentaro Hayashi <haya...@clear-code.com> (supplier of updated groonga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 May 2019 23:34:20 +0900
Source: groonga
Architecture: source
Version: 9.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Groonga Project <packa...@groonga.org>
Changed-By: Kentaro Hayashi <haya...@clear-code.com>
Closes: 928304
Changes:
 groonga (9.0.1-2) unstable; urgency=medium
 .
   * debian/groonga-httpd.logrotate
     debian/groonga-server-gqtp.logrotate
     - Mitigate privilege escalation by changing the owner and group of logs
       with "su" option. Reported by Wolfgang Hotwagner.
       (Closes: #928304) (CVE-2019-11675)
Checksums-Sha1:
 6acabf158bc5dd42250301af49ce40cec4a46d27 3181 groonga_9.0.1-2.dsc
 bbe6b760cbe320d8293eb43c60335d2708fb011a 15455806 groonga_9.0.1.orig.tar.gz
 da5b9be23639e2c096ff3ab5a7d97cece72f0682 195 groonga_9.0.1.orig.tar.gz.asc
 54623d6b77e6f1964777a821105ac5c42054c6ca 96860 groonga_9.0.1-2.debian.tar.xz
 1d0bdc47bff112cde2a8ee69aa66cce8d13d27d2 6970 groonga_9.0.1-2_source.buildinfo
Checksums-Sha256:
 f668c9ba182f77940edaed399bfc087862aa4172ba606453d66e2688bbf7878d 3181 
groonga_9.0.1-2.dsc
 f850336390bdea293829ce017fb13eb1c9d9a23691f4a684ab9128e084e5edd4 15455806 
groonga_9.0.1.orig.tar.gz
 d15d2318f58ce3368cccd860ecf875ab4e5fd69a7b7355c993c96cfb30bda602 195 
groonga_9.0.1.orig.tar.gz.asc
 69520a343d1226e10972359ec7ab8adac57f63e51f8d6adbe521ea3f4f6f341d 96860 
groonga_9.0.1-2.debian.tar.xz
 98cd5b3d1556cc65c8ae4a4fbff9cd88f86d0f2137754552dc77541786a5fa39 6970 
groonga_9.0.1-2_source.buildinfo
Files:
 7b2034accf8a62e8bab46495e8483acf 3181 database optional groonga_9.0.1-2.dsc
 b362e2371162dda1b2f660c1b6a8552c 15455806 database optional 
groonga_9.0.1.orig.tar.gz
 47d1e2879f80e1740c7ab167af55fc64 195 database optional 
groonga_9.0.1.orig.tar.gz.asc
 3559c853f7dc3ed9c7f5e6d649de2078 96860 database optional 
groonga_9.0.1-2.debian.tar.xz
 d150fa3e972554b8a48b0ab04ab5a9d7 6970 database optional 
groonga_9.0.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcZ6y2T2+nE0h+6Bk9/t1xWbtIOMFAlzUOvQACgkQ9/t1xWbt
IOMxHQ/+Jvkxwf0KOyU7ln2pZPjH0LKRn8xW9wb7BcsoXFxGl/3WsMZ4Yfo1CKD0
a0Awst9oXzfU+DqbUbXBFGrITbD9BdYLqwDa8au80sljCDghRWvGzlkfC/LxiKOw
U+KnRlAx7AHPGl/wukjO1MjOYelsM7i6He8Rrc1NGdEBqiL4mNiQ7zYvIrUUNgp8
9PV/hcx1yP90JAlJUtr0d7HcmkqcLpRrVPybRcQO2DEbMY3AWfgCuCkot5bTcNaM
egADLKU4iz6/aolvFl1JHctDEsjvNGFs0gb51E6rQORIaP/+C9E5afvHcvhchcSD
hVl3F5gVfREwLp44T74XyvoIepgFuPTiI2pXMtI6/hmPF8aoPcOEoKhksqvMJQe1
dBZ1J4uegjd2MlfB0BqZ447qIghH9pJLuWs89WvcpcFtO+foo+tDZejLXiTGzmoJ
ibklS31IVA5shpRZyxvrxexqyWstyMJ188PRlnbncMlsWZrwduWHEC1qCEks3jB9
E2MYBTS3OhzPlB49DaMp2S6Wz7++UM4pHMcBFL6c657204zfLlHXcSy6SZgyTSjn
CsuNdq1YEWUvcAc2JJ70E9m3E9KCnkOvgiLcFswlEIBGu/+IEBMJMfZGJZBKeUTi
9n599ul1FT+LiNi3gZ9pjPlliFjSVoPaAhS/K/SNZDMZc9aSVds=
=xnrI
-----END PGP SIGNATURE-----

--- End Message ---