Hi, Attached is the debdiff to fix CVE-2015-1306 in sympa.
(I've also claimed the issue in dla-needed.txt[1]) Fix package is already built and tested. I'm ready to upload if there are no objections. [1] https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?r1=31868&r2=31919 Regards, M. -- Emmanuel Bouthenot mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3 xmpp: [email protected] irc: kolter@{freenode,oftc}
diff -Nru sympa-6.0.1+dfsg/debian/changelog sympa-6.0.1+dfsg/debian/changelog --- sympa-6.0.1+dfsg/debian/changelog 2015-02-02 23:14:11.000000000 +0000 +++ sympa-6.0.1+dfsg/debian/changelog 2015-02-02 23:11:20.000000000 +0000 @@ -1,3 +1,11 @@ +sympa (6.0.1+dfsg-4+squeeze3) squeeze-lts; urgency=low + + * Add a patch to fix a vulnerability (CVE-2015-1306) in the web interface + (wwsympa) which allows one to send himself by email any readable file by + the sympa user on the filesystem. + + -- Emmanuel Bouthenot <[email protected]> Mon, 02 Feb 2015 23:11:16 +0000 + sympa (6.0.1+dfsg-4+squeeze2) oldstable-proposed-updates; urgency=low * Fix endless loop in wwsympa while loading session data including diff -Nru sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch --- sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch 1970-01-01 00:00:00.000000000 +0000 +++ sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch 2015-02-02 23:10:14.000000000 +0000 @@ -0,0 +1,30 @@ +Description: Fix a vulnerability (CVE-2015-1306) in the + web interface (wwsympa) which allows one to send himself + by email any readable file by the sympa user on the + filesystem +Author: David Verdin <[email protected]> +Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch +Applied-Upstream: 6.1.24 +Last-Update: 2015-01-16 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/wwsympa/wwsympa.fcgi.in ++++ b/wwsympa/wwsympa.fcgi.in +@@ -15150,9 +15150,14 @@ + $pages_url = $in{'url'}; + + # parse return the MIME::Lite part to send +- my $MIMEmail = $mailHTML->parse($pages_url); +- +- $in{'body'} = $MIMEmail->as_string; ++ $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']); ++ my $MIMEmail = eval { $mailHTML->parse($pages_url) }; ++ if ($MIMEmail) { ++ $in{'body'} = $MIMEmail->as_string; ++ } else { ++ report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'}); ++ return undef; ++ } + + } else { + diff -Nru sympa-6.0.1+dfsg/debian/patches/series sympa-6.0.1+dfsg/debian/patches/series --- sympa-6.0.1+dfsg/debian/patches/series 2015-02-02 23:14:11.000000000 +0000 +++ sympa-6.0.1+dfsg/debian/patches/series 2015-02-02 23:10:14.000000000 +0000 @@ -14,3 +14,4 @@ 1010_sqlite_upgrade.patch 2005_disable_build_non_dfsg_po_files.patch 2006_fix_CVE-2012-2352.patch +2007_fix_CVE-2015-1306.patch
