Bug#972114: sympa: CVE-2020-26880
Hi, Following user questions, here's my understanding of the current situation: - The issue is partially fixed in Debian by optionally not setting the setuid permissions (debconf question), and setting 'aliases_program' to a method that does not require root (postmap/postalias for Postfix, /bin/true for Exim4, etc.). - Likewise, the issue is partially fixed in upstream dev through ./configure --disable-setuid_newaliases --disable-setuid - The issue will be completely fixed once all MTAs are supported, in particular sendmail which requires calling 'newaliases' as root. This could be done e.g. setuid-wrapping not sympa but just the 'newaliases' command, or dropping support for root 'newaliases' entirely. - Upstream tracks this issue at https://github.com/sympa-community/sympa/issues/1009 Discuss the issue there in priority. Cheers! Sylvain
Bug#972114: sympa: CVE-2020-26880
Hi Stefan, On 05/11/2020 15:29, Stefan Hornburg (Racke) wrote: On 11/5/20 3:19 PM, Sylvain Beucler wrote: @racke, following your work at https://github.com/sympa-community/sympa/pull/1015 it seems we'd need a new debconf question to ask the user whether they want the setuid wrapper to be activated or not. Yes, good idea. But it would make sense to add some more documentation and maybe we can also ask about the mail server in use. E.g. with Exim you don't need to run the alias command at all. I implemented conditional setuid for sympa_newaliases-wrapper at https://salsa.debian.org/sympa-team/sympa/-/merge_requests/2 explaining the situation in the debconf question as well as pointing to 'aliases_program'. Let me know if that's OK with you and I'll backport it for stretch. Cheers! Sylvain Beucler Debian LTS Team
Bug#972114: sympa: CVE-2020-26880
On 11/5/20 3:19 PM, Sylvain Beucler wrote: > Hi, > > @racke, following your work at > https://github.com/sympa-community/sympa/pull/1015 > it seems we'd need a new debconf question to ask the user whether they want > the setuid wrapper to be activated or not. > Yes, good idea. But it would make sense to add some more documentation and maybe we can also ask about the mail server in use. E.g. with Exim you don't need to run the alias command at all. > This could be added even before the pull request merged I think, as toggling > the setuid bit on the wrapper is equivalent > to introducing 'alias_wrapper' + setting it of 'off' + removing the wrapper > (IIUC). > My plan was to release 6.2.58 with that patch, as it is a no-op unless you turn alias_wrapper off. Regards Racke > What do you think? > > If you're OK with this direction I can provide a patch, which I'll probably > backport to stretch to mitigate this > vulnerability > (aka fix it for every MTA but sendmail AFAICS) > > Cheers! > Sylvain Beucler > Debian LTS Team > -- Ecommerce and Linux consulting + Perl and web application programming. Debian and Sympa administration. Provisioning with Ansible. OpenPGP_0x5B93015BFA2720F8.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Bug#972114: sympa: CVE-2020-26880
Hi, @racke, following your work at https://github.com/sympa-community/sympa/pull/1015 it seems we'd need a new debconf question to ask the user whether they want the setuid wrapper to be activated or not. This could be added even before the pull request merged I think, as toggling the setuid bit on the wrapper is equivalent to introducing 'alias_wrapper' + setting it of 'off' + removing the wrapper (IIUC). What do you think? If you're OK with this direction I can provide a patch, which I'll probably backport to stretch to mitigate this vulnerability (aka fix it for every MTA but sendmail AFAICS) Cheers! Sylvain Beucler Debian LTS Team
Bug#972114: sympa: CVE-2020-26880
Source: sympa Version: 6.2.40~dfsg-7 Severity: important Tags: security upstream Forwarded: https://github.com/sympa-community/sympa/issues/1009 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for sympa, but this is mainly for having a tracking bug in Debian. CVE-2020-26880[0]: | Sympa through 6.2.57b.2 allows a local privilege escalation from the | sympa user account to full root access by modifying the sympa.conf | configuration file (which is owned by sympa) and parsing it through | the setuid sympa_newaliases-wrapper executable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26880 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26880 [1] https://github.com/sympa-community/sympa/issues/1009 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
