576060 - (CVE-2010-2470) checksetup.pl with $use_suexec=1 sets .bzr/ as world readable in 3.6

Status: RESOLVED FIXED

(Bugzilla :: Installation & Upgrading, defect)

Description

[Reed Loden [:reed]]

From MITRE:

Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through 3.7.1, when use_suexec is enabled, uses world-readable permissions within (1) .bzr/ and (2) data/webdot/, which allows local users to obtain potentially sensitive data by reading files in these directories, a different vulnerability than CVE-2010-0180.

See also: bug 561797

Filing this as public, as the information in the CVE is publicly available.

Comment 1

[Reed Loden [:reed]]

This is CVE-2010-2470.

Comment 2

[Dave Miller [:justdave]]

data/webdot/ probably actually needs to be world readable, as it's used for storage of generated static files that are actually served directly by the webserver (not via a CGI script), and thus the webserver would need to be able to read them even when not running as the suexec user.  That said, it probably only needs to be world-executable and not readable (the files are never browsed, only direct-linked, so we don't need to be able to get a directory listing, just the files themselves).

The security value of .bzr is debatable since the code is open, but best practices say it should be hidden from the web, just in case (especially if people make proprietary customizations and so forth).

Comment 3

[Max Kanat-Alexander]

Okay, so upon investigation, it turns out that data/webdot is not, in fact, world-readable. The comment in the other bug was in relation to the fact that webdot graphs didn't work at all under suexec on 3.6, and that patch was fixing them to work for trunk. (The reason they didn't work was that they were *not* world-readable.)

.bzr is still world-readable under 3.6, however, I don't consider that to be a security issue because:

(a) We didn't ship 3.6 tarballs with .bzr directories.
(b) We don't ship anything confidential in .bzr by default.

I will still post a simple patch to fix it for 3.6.2 though.

Comment 4

[Max Kanat-Alexander]

Attachment: v1 (3.6)

Okay, this protects .bzr for the 3.6 branch. (It is already protected on trunk.)

Comment 5

[Reed Loden [:reed]]

Comment on attachment 455980 [details] [diff] [review]
v1 (3.6)

As a side note, the names *_readable are confusing, considering you're really granting r+w, rather than just r.

You added this under "Writable directories", so you'll need to move it down under "Readable directories". Please attach a patch with that fixed before resolving this bug.

Besides that, .bzr being 0700 and files under .bzr being 0600 is correct, and the the +x for fixperms.pl is also correct.

In testing, I noticed that the .bzr directory gets the gid of the web server, which is kinda weird... Not sure how much I like that, but there doesn't seem to be an easy way to not have that happen without some extra code, and with the permissions as they are, I don't think it matters. bzr operations seem to immediately change the gid back to the current owner, though.

r=me with the move and new patch attached.

Comment 6

[Max Kanat-Alexander]

(In reply to comment #5)
> (From update of attachment 455980 [details] [diff] [review])
> As a side note, the names *_readable are confusing, considering you're really
> granting r+w, rather than just r.

  No kidding. That's one reason they're different on trunk. :-)

  Thanks for the review! :-) I'll do what you asked.

Comment 7

[Max Kanat-Alexander]

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Install/Filesystem.pm
Committed revision 7135.