Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi stable release managers, X-Debbugs-CC'ing Emmanuel Bouthenot. Sympa in stable is affected by 863631, where on every update of sympa, the values reinjectend to sympa config file were false doe to an issue in the shell function used to prefill the debconf questions. This was earlier fixed for buster, but updates within stretch will still have the problem. Now, there is a security update planned for CVE-2018-1000550 and for the above reason I would include the cherry picked fix for the above, but would like to get an official ack, given it's not for the security fix. Attached is the full debdiff as planned right now, only the debian/config part of the diff would be relevant for #863631. let me know please if you disagree with the approach. Regards, Salvatore
diff -Nru sympa-6.2.16~dfsg/debian/changelog sympa-6.2.16~dfsg/debian/changelog --- sympa-6.2.16~dfsg/debian/changelog 2017-03-05 06:56:13.000000000 +0100 +++ sympa-6.2.16~dfsg/debian/changelog 2018-07-27 19:48:38.000000000 +0200 @@ -1,3 +1,18 @@ +sympa (6.2.16~dfsg-3+deb9u1) stretch-security; urgency=high + + * Non-maintainer upload by the Security Team. + + [ Salvatore Bonaccorso ] + * Directory traversal vulnerability (CVE-2018-1000550) + + [ Emmanuel Bouthenot ] + * Fix shell function used to prefill debconf questions from Sympa + configuration file in debian/config. Values reinjected to Sympa config + file were false and led to serious configurations issues. + (Closes: #863631) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 27 Jul 2018 19:48:38 +0200 + sympa (6.2.16~dfsg-3) unstable; urgency=medium * Add dependency on libnet-dns-perl to perform DMARC verifications diff -Nru sympa-6.2.16~dfsg/debian/config sympa-6.2.16~dfsg/debian/config --- sympa-6.2.16~dfsg/debian/config 2016-11-25 10:34:20.000000000 +0100 +++ sympa-6.2.16~dfsg/debian/config 2018-07-27 19:48:38.000000000 +0200 @@ -10,7 +10,7 @@ sympa_conf_get() { key="${1}" if [ -e "${conf}" ]; then - sed -r -n 's/^\s*db_user\s+(.*)$/\1/p' "${conf}" + sed -r -n "s/^\s*${key}\s+(.*)\$/\1/p" "${conf}" fi } diff -Nru sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch --- sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch 1970-01-01 01:00:00.000000000 +0100 +++ sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch 2018-07-27 19:48:38.000000000 +0200 @@ -0,0 +1,92 @@ +commit deb5aabcd3f215ccf86fc61f36f44ec165b4fc4f +Author: IKEDA Soji <ik...@conversion.co.jp> +Date: Fri Apr 13 17:49:19 2018 +0900 + + [*bug] WWSympa: Multiple bugs on permissions to edit files: + - Owners could view list config files (`info`, templates etc.) even if + edit_list.conf prohibits. Fixed by removing unused function viewfile. + - "Edit list templates" menu lists files prohibited by edit_list.conf. + - Owners and listmasters could create or modify arbitrary files in the + server with privileges of sympa user. + +--- a/src/cgi/wwsympa.fcgi.in ++++ b/src/cgi/wwsympa.fcgi.in +@@ -194,7 +194,6 @@ our %comm = ( + 'firstpasswd' => 'do_firstpasswd', + 'requestpasswd' => 'do_requestpasswd', + 'choosepasswd' => 'do_choosepasswd', +- 'viewfile' => 'do_viewfile', + 'set' => 'do_set', + 'admin' => 'do_admin', + 'add_request' => 'do_add_request', +@@ -642,6 +641,7 @@ our %required_privileges = ( + 'edit_list' => ['owner'], + 'edit_list_request' => ['owner'], + 'edit_template' => ['listmaster'], ++ 'editfile' => ['owner', 'listmaster'], + 'editsubscriber' => ['owner', 'editor'], + 'get_closed_lists' => ['listmaster'], + 'get_inactive_lists' => ['listmaster'], +@@ -669,6 +669,7 @@ our %required_privileges = ( + 'restore_list' => ['listmaster'], + 'review_family' => ['listmaster'], + 'reviewbouncing' => ['owner', 'editor'], ++ 'savefile' => ['owner', 'listmaster'], + 'search_user' => ['listmaster'], + 'serveradmin' => ['listmaster'], + 'set_dumpvars' => ['listmaster'], +@@ -6582,9 +6583,10 @@ sub do_admin { + 'message.header', 'remind.tt2', + 'invite.tt2', 'reject.tt2' + ) { +- next +- unless ( +- $list->may_edit($f, $param->{'user'}{'email'}) eq 'write'); ++ my $fa = ($f eq 'info') ? 'info.file' : $f; ++ my ($role, $right) = ++ $list->may_edit($fa, $param->{'user'}{'email'}); ++ next unless $right eq 'write'; + if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) { + $param->{'files'}{$f}{'complete'} = + $language->gettext( +@@ -9205,12 +9207,9 @@ sub do_editfile { + my $filename_for_auth = $f; + $filename_for_auth = 'info.file' + if ($filename_for_auth eq 'info'); +- next +- unless ( +- $list->may_edit( +- $filename_for_auth, $param->{'user'}{'email'} +- ) eq 'write' +- ); ++ my ($role, $right) = $list->may_edit( ++ $filename_for_auth, $param->{'user'}{'email'}); ++ next unless $right eq 'write'; + if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) { + $param->{'files'}{$f}{'complete'} = + $language->gettext( +@@ -9380,10 +9379,21 @@ sub do_savefile { + + $param->{'subtitle'} = sprintf $param->{'subtitle'}, $in{'file'}; + ++ unless ($in{'file'} and $Sympa::Tools::WWW::filenames{$in{'file'}}) { ++ Sympa::Report::reject_report_web('user', 'file_not_editable', ++ {'file' => $in{'file'}}, ++ $param->{'action'}); ++ wwslog('info', 'File %s not editable', $in{'file'}); ++ return undef; ++ } ++ + if ($param->{'list'}) { +- unless ($list->is_admin('owner', $param->{'user'}{'email'}) +- or Sympa::is_listmaster($list, $param->{'user'}->{'email'})) { +- Sympa::Report::reject_report_web('auth', 'action_owner', {}, ++ my $fa = ($in{'file'} eq 'info') ? 'info.file' : $in{'file'}; ++ my ($role, $right) = ++ $list->may_edit($fa, $param->{'user'}{'email'}); ++ unless ($right eq 'write') { ++ Sympa::Report::reject_report_web('auth', 'edit_right', ++ {'role' => $role, 'right' => $right}, + $param->{'action'}, $list); + wwslog('err', 'Not allowed'); + web_db_log( diff -Nru sympa-6.2.16~dfsg/debian/patches/series sympa-6.2.16~dfsg/debian/patches/series --- sympa-6.2.16~dfsg/debian/patches/series 2017-02-15 14:43:11.000000000 +0100 +++ sympa-6.2.16~dfsg/debian/patches/series 2018-07-27 19:48:38.000000000 +0200 @@ -2,5 +2,6 @@ 1002_fix_various_typos 1003_fix_various_log_severity 1004_make_build_reproducible.patch +1005_sympa-6.2.24-sa-2018-001.patch 2001_ca_bundle_check_as_warning.patch 2002_support_jquery3_using_migrate.patch