Bug 956281 - (CVE-2015-7519) VUL-0: CVE-2015-7519: rubygem-passenger: Passenger is not filtering environment like apache is doing
(CVE-2015-7519)
VUL-0: CVE-2015-7519: rubygem-passenger: Passenger is not filtering environme...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2015-7519:4.9:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-23 15:18 UTC by Adrian Schröter
Modified: 2016-04-27 19:47 UTC (History)
10 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
test/reproducer (1.06 KB, application/x-bzip)
2015-12-01 18:31 UTC, Jordi Massaguer
Details
test/reproducer (1.22 KB, application/x-bzip)
2015-12-16 10:40 UTC, Jordi Massaguer
Details
patch for version 3.0.14 (1.24 KB, patch)
2015-12-16 19:03 UTC, Jordi Massaguer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian Schröter 2015-11-23 15:18:04 UTC
Passenger is not filter Headers when exporting them to the environment like apache is doing it. In our setup this caused a grave security issue since it was possible
to inject a variable by using "_" instead of "-" . The ruby web application has no chance to distinguish between the variables.

We patched passenger to filter the export of the headers to environement analog to apache code. the fix can be found here:

 https://build.opensuse.org/package/view_file/OBS:Server:Unstable/rubygem-passenger/fix-header-handling.diff?expand=1

based on passenger 5.0.28
Comment 1 Andreas Stieger 2015-11-23 16:15:31 UTC
Reported privately to security@phusion.nl, receipt was acknowledged.
Comment 2 Michael Schröder 2015-11-23 16:50:55 UTC
proposal on apache mailing list:
https://www.mail-archive.com/dev@httpd.apache.org/msg49097.html

commit:
https://svn.apache.org/viewvc?view=revision&revision=1053353

Btw, nginx has a "underscores_in_headers" option (where the default is off). So passanger under nginx is probably safe.

I guess that mod_passenger should also have such an option. Our patch currently doesn't implement that.

(Also note that the commit's claim "RFC 2616 says that header names must start with a letter, followed only by letters, numbers or hyphen" is bogus. Underscores are perfectly legal.)
Comment 3 Andreas Stieger 2015-11-23 17:37:31 UTC
Similar code is in since the first release (tag release-1.0.0) where this code is in ext/apache2/Hooks.cpp http2env() prior to re-factoring.
Comment 4 Swamp Workflow Management 2015-11-23 23:00:40 UTC
bugbot adjusting priority
Comment 10 Andreas Stieger 2015-11-26 17:05:59 UTC
sent to distros
CRD: 2015-12-07 11:00 UTC
Comment 11 Alexander Bergmann 2015-11-27 07:27:42 UTC
CVE-2015-7519 was assigned to this issue.
Comment 12 Andreas Stieger 2015-11-27 09:32:49 UTC
Assign to SLE maintainer
Comment 13 Jordi Massaguer 2015-11-30 18:25:35 UTC
Do you have a test code?
Comment 14 SMASH SMASH 2015-12-01 06:58:54 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 15, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121065/.
Comment 15 Jordi Massaguer 2015-12-01 18:31:29 UTC
Created attachment 657961 [details]
test/reproducer

this tarball contains:

home/vagrant/test-CVE-2015-7519/ <- simple rack application
etc/apache2/vhosts.d/test-cve-2015-7519.conf <- virtual host for the above application
README <- instructions on how to use curl in order to test.
Comment 19 Jordi Massaguer 2015-12-16 10:40:14 UTC
Created attachment 659536 [details]
test/reproducer

see README on how to use the reproducer.

I am replacing the reproducer since the instruccions in the README were wrong. Sorry about that.

In order to reproduce it , you need to do

curl -H "X_username: test" http://localhost

With the original rpm , you should see this output

HTTP_X_USERNAME test

With the patched rpm:

HTTP_X_USERNAME

note the test has been filtered.

What the patch does is to accept "-" or alphanums, but not "_" . Otherwise, "x_username" would overwrite HTTP_X_USERNAME header.
Comment 20 Jordi Massaguer 2015-12-16 11:45:21 UTC
for apache  < 2.4 you need to adjust the /etc/apache2/vhosts.d/test-cve-2015-7519.conf

See the comments in the same file.
Comment 21 Jordi Massaguer 2015-12-16 19:03:02 UTC
Created attachment 659602 [details]
patch for version 3.0.14
Comment 24 Swamp Workflow Management 2015-12-21 22:10:39 UTC
SUSE-SU-2015:2337-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 956281
CVE References: CVE-2015-7519
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    rubygem-passenger-5.0.18-6.1
Comment 25 Victor Pereira 2015-12-30 08:05:40 UTC
fixed and released.
Comment 26 Andreas Stieger 2016-01-07 09:34:43 UTC
Releasing for SLE-SLMS_1.3, SLE-STUDIOONSITE_1.3, SLE-WEBYAST_1.3
Comment 27 Swamp Workflow Management 2016-01-07 13:16:42 UTC
SUSE-SU-2016:0042-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 828005,919726,956281
CVE References: CVE-2013-2119,CVE-2013-4136,CVE-2015-7519
Sources used:
SUSE Webyast 1.3 (src):    rubygem-passenger-3.0.14-0.14.1
SUSE Studio Onsite 1.3 (src):    rubygem-passenger-3.0.14-0.14.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-passenger-3.0.14-0.14.1