Bug#961491: marked as done (CVE-2020-10936: Security flaws in setuid wrappers)

[Debian Bug Tracking System]

Your message dated Fri, 25 Sep 2020 08:38:52 +0000
with message-id <e1kljfk-0008d3...@fasolo.debian.org>
and subject line Bug#961491: fixed in sympa 6.2.40~dfsg-5
has caused the Debian Bug report #961491,
regarding CVE-2020-10936: Security flaws in setuid wrappers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961491
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

package: sympa
severity: critical
tags: upstream security patch

Security advisory: https://sympa-community.github.io/security/2020-002.html

Excerpt:

--snip--
A vulnerability has been discovered in Sympa web interface by which attacker 
can execute arbitrary code with root
privileges.

Sympa uses two sorts of setuid wrappers:

    FastCGI wrappers
    newaliases wrapper

The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) 
were used to make the web interface
running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the 
alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment 
variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed users.
--snap--

Affects all versions of Sympa. Patch is attached.

The following change should also be considered to switch off installation as 
setuid, which is not needed in most cases:
https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f

See also 
https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 
which claims that the patch
is incomplete.

CVE is not yet published.

Regards
        Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

commit 3f8449c647e5ab32cf6f8837cb600c1756b6189c
Author: IKEDA Soji <ik...@conversion.co.jp>
Date:   Fri Mar 27 21:28:18 2020 +0900

    Sympa SA 2020-002 (candidate): Setuid wrappers should clear environment variables to avoid exploits.

diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
index f4c6a66..435d40c 100644
--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
+++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  <https://github.com/sympa-community/sympa.git>.
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include <unistd.h>
 
 int main(int argn, char **argv, char **envp) {
+    char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
     setreuid(geteuid(),geteuid());
     setregid(getegid(),getegid());
     argv[0] = SYMPASOAP;
-    return execve(SYMPASOAP,argv,envp);
+    return execve(SYMPASOAP, argv, myenvp);
 }
diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
index c66c7f8..34198ec 100644
--- a/src/cgi/wwsympa-wrapper.fcgi.c
+++ b/src/cgi/wwsympa-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  <https://github.com/sympa-community/sympa.git>.
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include <unistd.h>
 
 int main(int argn, char **argv, char **envp) {
+    char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
     setreuid(geteuid(),geteuid()); // Added to fix the segfault
     setregid(getegid(),getegid()); // Added to fix the segfault
     argv[0] = WWSYMPA;
-    return execve(WWSYMPA,argv,envp);
+    return execve(WWSYMPA, argv, myenvp);
 }
diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c
index a399218..a1e5935 100644
--- a/src/libexec/sympa_newaliases-wrapper.c
+++ b/src/libexec/sympa_newaliases-wrapper.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  <https://github.com/sympa-community/sympa.git>.
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include <unistd.h>
 
 int main(int argn, char **argv, char **envp) {
+    char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
     setreuid(geteuid(),geteuid());
     setregid(getegid(),getegid());
     argv[0] = SYMPA_NEWALIASES;
-    return execve(SYMPA_NEWALIASES, argv, envp);
+    return execve(SYMPA_NEWALIASES, argv, myenvp);
 }

signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Source: sympa
Source-Version: 6.2.40~dfsg-5
Done: Stefan Hornburg (Racke) <ra...@linuxia.de>

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <ra...@linuxia.de> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 25 Sep 2020 09:46:33 +0200
Source: sympa
Architecture: source
Version: 6.2.40~dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Sympa team <sy...@packages.debian.org>
Changed-By: Stefan Hornburg (Racke) <ra...@linuxia.de>
Closes: 961491
Changes:
 sympa (6.2.40~dfsg-5) unstable; urgency=medium
 .
   * Add patch fixing security flaws in setuid wrappers (CVE-2020-10936, 
Closes: #961491).
Checksums-Sha1:
 7d5253a87268c35ced08a046e176e7074079629b 2531 sympa_6.2.40~dfsg-5.dsc
 4fdd593355347ef9802c997c46f6afaa1ca2ca4d 166684 
sympa_6.2.40~dfsg-5.debian.tar.xz
 0b0fdfbf2fdea9a3eac64b6e668df936a1af3bb9 14459 
sympa_6.2.40~dfsg-5_amd64.buildinfo
Checksums-Sha256:
 e0d361784b9092c5c1135bad9fa3e36af73025e911f2e9680329cf7594f6f387 2531 
sympa_6.2.40~dfsg-5.dsc
 4df0b617373f6005bd7dd1cb0e29f665b5713dee1a1fb0036e54bc4e84a58b4b 166684 
sympa_6.2.40~dfsg-5.debian.tar.xz
 0eacd246af724e0ea70141021bd8172117679d5ab1439930b3585f7f7dfca5cc 14459 
sympa_6.2.40~dfsg-5_amd64.buildinfo
Files:
 1e962f704268f039794a6f39b3756489 2531 mail optional sympa_6.2.40~dfsg-5.dsc
 5bf8882381069dbebd197d75082abcf1 166684 mail optional 
sympa_6.2.40~dfsg-5.debian.tar.xz
 d25b05d24bd3f22e17281dac52413918 14459 mail optional 
sympa_6.2.40~dfsg-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEE1oFJdaJ3d0yY0N/vW5MBW/onIPgFAl9todcRHHJhY2tlQGxp
bnV4aWEuZGUACgkQW5MBW/onIPiFPRAAvAA6UG40koW7+6I+jbqYVrRSmhRIEpj5
lNScafQJblLY48w4VdblEjS8SZu8zyDGEC1E13pOyQ2Llk3FefEVUF/IVsKkD3AO
/q8eNCtTEX7ZoqKFHqpzfdPMY3jWFVgPNFOfCeCr5EgAN01zcs8tF1LdsHjkgRxd
0aB8/L9aOmEf7tEK+8uHifI1Pfez0fqHGY3i4gCzwAmbv2I5wmeZqg2nZDWb/Cxf
XfaIpjw6T7G5Isq+Vjg+bTT4Ppom2ZR5qXEwOXsXA8h5QRpvitIrRhucM22n+z80
h/rclXYSqJA7ojSQVXsycJZRHys9xZ2Ejjbuih4RMbPEz0SW/AYmnE/7NGdyFEE+
6pkzBS6HRsxa41oJ5XZ+Er59RbPaBslfft7iL/jBo51GcHBYNPWITZPICnj+/Fgp
c/AOrH/iVOpfij6tiB6ADbOJviLlEfeOnpxg8fgrOntONGwpHZWldv6cMtvUIgde
F1v0wNAr9IWhMDtfEGS3P/T5p7iD7AUEpC4KLMfB3qxFZ7v0YmOJiOePDFfWEek3
F6mkCuVNDVtmUInF+67sGdwSnMNx8eu78Kgt5f/M71/DaD13CGjLrNlksOCLkOlW
H08NHuOn2vV8Yck3R9n3V9Z8KcSCGVXLkbErY5RLqcxVCNN/BRyh5ZU6dGHZIPYo
PPrU6kzedBM=
=hZa+
-----END PGP SIGNATURE-----

--- End Message ---