Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi stable release managers,
X-Debbugs-CC'ing Emmanuel Bouthenot.
Sympa in stable is affected by 863631, where on every update of sympa,
the values reinjectend to sympa config file were false doe to an issue
in the shell function used to prefill the debconf questions.
This was earlier fixed for buster, but updates within stretch will
still have the problem.
Now, there is a security update planned for CVE-2018-1000550 and for
the above reason I would include the cherry picked fix for the above,
but would like to get an official ack, given it's not for the security
fix.
Attached is the full debdiff as planned right now, only the
debian/config part of the diff would be relevant for #863631.
let me know please if you disagree with the approach.
Regards,
Salvatore
diff -Nru sympa-6.2.16~dfsg/debian/changelog sympa-6.2.16~dfsg/debian/changelog
--- sympa-6.2.16~dfsg/debian/changelog 2017-03-05 06:56:13.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/changelog 2018-07-27 19:48:38.000000000 +0200
@@ -1,3 +1,18 @@
+sympa (6.2.16~dfsg-3+deb9u1) stretch-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+
+ [ Salvatore Bonaccorso ]
+ * Directory traversal vulnerability (CVE-2018-1000550)
+
+ [ Emmanuel Bouthenot ]
+ * Fix shell function used to prefill debconf questions from Sympa
+ configuration file in debian/config. Values reinjected to Sympa config
+ file were false and led to serious configurations issues.
+ (Closes: #863631)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 27 Jul 2018 19:48:38 +0200
+
sympa (6.2.16~dfsg-3) unstable; urgency=medium
* Add dependency on libnet-dns-perl to perform DMARC verifications
diff -Nru sympa-6.2.16~dfsg/debian/config sympa-6.2.16~dfsg/debian/config
--- sympa-6.2.16~dfsg/debian/config 2016-11-25 10:34:20.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/config 2018-07-27 19:48:38.000000000 +0200
@@ -10,7 +10,7 @@
sympa_conf_get() {
key="${1}"
if [ -e "${conf}" ]; then
- sed -r -n 's/^\s*db_user\s+(.*)$/\1/p' "${conf}"
+ sed -r -n "s/^\s*${key}\s+(.*)\$/\1/p" "${conf}"
fi
}
diff -Nru sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch
sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch
--- sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch
1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch
2018-07-27 19:48:38.000000000 +0200
@@ -0,0 +1,92 @@
+commit deb5aabcd3f215ccf86fc61f36f44ec165b4fc4f
+Author: IKEDA Soji <ik...@conversion.co.jp>
+Date: Fri Apr 13 17:49:19 2018 +0900
+
+ [*bug] WWSympa: Multiple bugs on permissions to edit files:
+ - Owners could view list config files (`info`, templates etc.) even if
+ edit_list.conf prohibits. Fixed by removing unused function viewfile.
+ - "Edit list templates" menu lists files prohibited by edit_list.conf.
+ - Owners and listmasters could create or modify arbitrary files in the
+ server with privileges of sympa user.
+
+--- a/src/cgi/wwsympa.fcgi.in
++++ b/src/cgi/wwsympa.fcgi.in
+@@ -194,7 +194,6 @@ our %comm = (
+ 'firstpasswd' => 'do_firstpasswd',
+ 'requestpasswd' => 'do_requestpasswd',
+ 'choosepasswd' => 'do_choosepasswd',
+- 'viewfile' => 'do_viewfile',
+ 'set' => 'do_set',
+ 'admin' => 'do_admin',
+ 'add_request' => 'do_add_request',
+@@ -642,6 +641,7 @@ our %required_privileges = (
+ 'edit_list' => ['owner'],
+ 'edit_list_request' => ['owner'],
+ 'edit_template' => ['listmaster'],
++ 'editfile' => ['owner', 'listmaster'],
+ 'editsubscriber' => ['owner', 'editor'],
+ 'get_closed_lists' => ['listmaster'],
+ 'get_inactive_lists' => ['listmaster'],
+@@ -669,6 +669,7 @@ our %required_privileges = (
+ 'restore_list' => ['listmaster'],
+ 'review_family' => ['listmaster'],
+ 'reviewbouncing' => ['owner', 'editor'],
++ 'savefile' => ['owner', 'listmaster'],
+ 'search_user' => ['listmaster'],
+ 'serveradmin' => ['listmaster'],
+ 'set_dumpvars' => ['listmaster'],
+@@ -6582,9 +6583,10 @@ sub do_admin {
+ 'message.header', 'remind.tt2',
+ 'invite.tt2', 'reject.tt2'
+ ) {
+- next
+- unless (
+- $list->may_edit($f, $param->{'user'}{'email'}) eq 'write');
++ my $fa = ($f eq 'info') ? 'info.file' : $f;
++ my ($role, $right) =
++ $list->may_edit($fa, $param->{'user'}{'email'});
++ next unless $right eq 'write';
+ if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) {
+ $param->{'files'}{$f}{'complete'} =
+ $language->gettext(
+@@ -9205,12 +9207,9 @@ sub do_editfile {
+ my $filename_for_auth = $f;
+ $filename_for_auth = 'info.file'
+ if ($filename_for_auth eq 'info');
+- next
+- unless (
+- $list->may_edit(
+- $filename_for_auth, $param->{'user'}{'email'}
+- ) eq 'write'
+- );
++ my ($role, $right) = $list->may_edit(
++ $filename_for_auth, $param->{'user'}{'email'});
++ next unless $right eq 'write';
+ if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) {
+ $param->{'files'}{$f}{'complete'} =
+ $language->gettext(
+@@ -9380,10 +9379,21 @@ sub do_savefile {
+
+ $param->{'subtitle'} = sprintf $param->{'subtitle'}, $in{'file'};
+
++ unless ($in{'file'} and $Sympa::Tools::WWW::filenames{$in{'file'}}) {
++ Sympa::Report::reject_report_web('user', 'file_not_editable',
++ {'file' => $in{'file'}},
++ $param->{'action'});
++ wwslog('info', 'File %s not editable', $in{'file'});
++ return undef;
++ }
++
+ if ($param->{'list'}) {
+- unless ($list->is_admin('owner', $param->{'user'}{'email'})
+- or Sympa::is_listmaster($list, $param->{'user'}->{'email'})) {
+- Sympa::Report::reject_report_web('auth', 'action_owner', {},
++ my $fa = ($in{'file'} eq 'info') ? 'info.file' : $in{'file'};
++ my ($role, $right) =
++ $list->may_edit($fa, $param->{'user'}{'email'});
++ unless ($right eq 'write') {
++ Sympa::Report::reject_report_web('auth', 'edit_right',
++ {'role' => $role, 'right' => $right},
+ $param->{'action'}, $list);
+ wwslog('err', 'Not allowed');
+ web_db_log(
diff -Nru sympa-6.2.16~dfsg/debian/patches/series
sympa-6.2.16~dfsg/debian/patches/series
--- sympa-6.2.16~dfsg/debian/patches/series 2017-02-15 14:43:11.000000000
+0100
+++ sympa-6.2.16~dfsg/debian/patches/series 2018-07-27 19:48:38.000000000
+0200
@@ -2,5 +2,6 @@
1002_fix_various_typos
1003_fix_various_log_severity
1004_make_build_reproducible.patch
+1005_sympa-6.2.24-sa-2018-001.patch
2001_ca_bundle_check_as_warning.patch
2002_support_jquery3_using_migrate.patch
