Your message dated Fri, 25 Sep 2020 08:38:52 +0000 with message-id <e1kljfk-0008d3...@fasolo.debian.org> and subject line Bug#961491: fixed in sympa 6.2.40~dfsg-5 has caused the Debian Bug report #961491, regarding CVE-2020-10936: Security flaws in setuid wrappers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 961491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961491 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---package: sympa severity: critical tags: upstream security patch Security advisory: https://sympa-community.github.io/security/2020-002.html Excerpt: --snip-- A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers: FastCGI wrappers newaliases wrapper The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) were used to make the web interface running under privileges of a dedicated user. The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges. Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected, forged code might be loaded and executed under privileges of setuid-ed users. --snap-- Affects all versions of Sympa. Patch is attached. The following change should also be considered to switch off installation as setuid, which is not needed in most cases: https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f See also https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 which claims that the patch is incomplete. CVE is not yet published. Regards Racke -- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible.commit 3f8449c647e5ab32cf6f8837cb600c1756b6189c Author: IKEDA Soji <ik...@conversion.co.jp> Date: Fri Mar 27 21:28:18 2020 +0900 Sympa SA 2020-002 (candidate): Setuid wrappers should clear environment variables to avoid exploits. diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c index f4c6a66..435d40c 100644 --- a/src/cgi/sympa_soap_server-wrapper.fcgi.c +++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c @@ -6,6 +6,9 @@ Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER + Copyright 2020 The Sympa Community. See the AUTHORS.md + file at the top-level directory of this distribution and at + <https://github.com/sympa-community/sympa.git>. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,8 +27,10 @@ #include <unistd.h> int main(int argn, char **argv, char **envp) { + char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; + setreuid(geteuid(),geteuid()); setregid(getegid(),getegid()); argv[0] = SYMPASOAP; - return execve(SYMPASOAP,argv,envp); + return execve(SYMPASOAP, argv, myenvp); } diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c index c66c7f8..34198ec 100644 --- a/src/cgi/wwsympa-wrapper.fcgi.c +++ b/src/cgi/wwsympa-wrapper.fcgi.c @@ -6,6 +6,9 @@ Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER + Copyright 2020 The Sympa Community. See the AUTHORS.md + file at the top-level directory of this distribution and at + <https://github.com/sympa-community/sympa.git>. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,8 +27,10 @@ #include <unistd.h> int main(int argn, char **argv, char **envp) { + char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; + setreuid(geteuid(),geteuid()); // Added to fix the segfault setregid(getegid(),getegid()); // Added to fix the segfault argv[0] = WWSYMPA; - return execve(WWSYMPA,argv,envp); + return execve(WWSYMPA, argv, myenvp); } diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c index a399218..a1e5935 100644 --- a/src/libexec/sympa_newaliases-wrapper.c +++ b/src/libexec/sympa_newaliases-wrapper.c @@ -6,6 +6,9 @@ Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER + Copyright 2020 The Sympa Community. See the AUTHORS.md + file at the top-level directory of this distribution and at + <https://github.com/sympa-community/sympa.git>. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,8 +27,10 @@ #include <unistd.h> int main(int argn, char **argv, char **envp) { + char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; + setreuid(geteuid(),geteuid()); setregid(getegid(),getegid()); argv[0] = SYMPA_NEWALIASES; - return execve(SYMPA_NEWALIASES, argv, envp); + return execve(SYMPA_NEWALIASES, argv, myenvp); }signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: sympa Source-Version: 6.2.40~dfsg-5 Done: Stefan Hornburg (Racke) <ra...@linuxia.de> We believe that the bug you reported is fixed in the latest version of sympa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 961...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Hornburg (Racke) <ra...@linuxia.de> (supplier of updated sympa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 25 Sep 2020 09:46:33 +0200 Source: sympa Architecture: source Version: 6.2.40~dfsg-5 Distribution: unstable Urgency: medium Maintainer: Debian Sympa team <sy...@packages.debian.org> Changed-By: Stefan Hornburg (Racke) <ra...@linuxia.de> Closes: 961491 Changes: sympa (6.2.40~dfsg-5) unstable; urgency=medium . * Add patch fixing security flaws in setuid wrappers (CVE-2020-10936, Closes: #961491). Checksums-Sha1: 7d5253a87268c35ced08a046e176e7074079629b 2531 sympa_6.2.40~dfsg-5.dsc 4fdd593355347ef9802c997c46f6afaa1ca2ca4d 166684 sympa_6.2.40~dfsg-5.debian.tar.xz 0b0fdfbf2fdea9a3eac64b6e668df936a1af3bb9 14459 sympa_6.2.40~dfsg-5_amd64.buildinfo Checksums-Sha256: e0d361784b9092c5c1135bad9fa3e36af73025e911f2e9680329cf7594f6f387 2531 sympa_6.2.40~dfsg-5.dsc 4df0b617373f6005bd7dd1cb0e29f665b5713dee1a1fb0036e54bc4e84a58b4b 166684 sympa_6.2.40~dfsg-5.debian.tar.xz 0eacd246af724e0ea70141021bd8172117679d5ab1439930b3585f7f7dfca5cc 14459 sympa_6.2.40~dfsg-5_amd64.buildinfo Files: 1e962f704268f039794a6f39b3756489 2531 mail optional sympa_6.2.40~dfsg-5.dsc 5bf8882381069dbebd197d75082abcf1 166684 mail optional sympa_6.2.40~dfsg-5.debian.tar.xz d25b05d24bd3f22e17281dac52413918 14459 mail optional sympa_6.2.40~dfsg-5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl9todcRHHJhY2tlQGxp bnV4aWEuZGUACgkQW5MBW/onIPiFPRAAvAA6UG40koW7+6I+jbqYVrRSmhRIEpj5 lNScafQJblLY48w4VdblEjS8SZu8zyDGEC1E13pOyQ2Llk3FefEVUF/IVsKkD3AO /q8eNCtTEX7ZoqKFHqpzfdPMY3jWFVgPNFOfCeCr5EgAN01zcs8tF1LdsHjkgRxd 0aB8/L9aOmEf7tEK+8uHifI1Pfez0fqHGY3i4gCzwAmbv2I5wmeZqg2nZDWb/Cxf XfaIpjw6T7G5Isq+Vjg+bTT4Ppom2ZR5qXEwOXsXA8h5QRpvitIrRhucM22n+z80 h/rclXYSqJA7ojSQVXsycJZRHys9xZ2Ejjbuih4RMbPEz0SW/AYmnE/7NGdyFEE+ 6pkzBS6HRsxa41oJ5XZ+Er59RbPaBslfft7iL/jBo51GcHBYNPWITZPICnj+/Fgp c/AOrH/iVOpfij6tiB6ADbOJviLlEfeOnpxg8fgrOntONGwpHZWldv6cMtvUIgde F1v0wNAr9IWhMDtfEGS3P/T5p7iD7AUEpC4KLMfB3qxFZ7v0YmOJiOePDFfWEek3 F6mkCuVNDVtmUInF+67sGdwSnMNx8eu78Kgt5f/M71/DaD13CGjLrNlksOCLkOlW H08NHuOn2vV8Yck3R9n3V9Z8KcSCGVXLkbErY5RLqcxVCNN/BRyh5ZU6dGHZIPYo PPrU6kzedBM= =hZa+ -----END PGP SIGNATURE-----
--- End Message ---