Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi, From what I understand the FCGI wrapper was used as CGI through e.g. fcgiwrap, and upstream recommended to switch to fcgi-spawn following https://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html Carsten agreed and suggested we add a note about this in the Debian documentation, so I plan to add a note in README.Debian or NEWS.Debian. https://github.com/sympa-community/sympa/issues/1020#issuecomment-710763168 Given there were no other reports I believe this addresses the issue. Cheers! Sylvain Beucler Debian LTS Team
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi, On Thu, Oct 15, 2020 at 10:20:14AM +0200, Sylvain Beucler wrote: > For reasons stated in dla-needed.txt, and more importantly for reasons > mentioned internally (see elts-git or Holger), I can't dedicate more > time this month. Sylvain, thanks for being explicit! (and still giving it a quick lock!) Someone else: please step in. (and document so in dla-needed.txt and the bts.) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C Stop saying that we are all in the same boat. We’re all in the same storm. But we’re not all in the same boat. signature.asc Description: PGP signature
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi, Thank you both for notifying me. For reasons stated in dla-needed.txt, and more importantly for reasons mentioned internally (see elts-git or Holger), I can't dedicate more time this month. >From a quick look: - the patch for older versions is the same besides the copyright notices. - I'm not sure why the FCGI wrapper (which is daemonized and multi-requests) would need to query its environment for REMOTE_ADDR (which changes with each request and is normally sent to the FCGI daemon through its socket), Carsten may need to provide additional details and/or check https://github.com/sympa-community/sympa/issues/1020 for work-arounds. Cheers! Sylvain
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
[adding b...@debian.org to CC] Hi Carsten, > since applying the security update from 6.2.16~dfsg-3+deb9u2 to > 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling, > i.e. the web server reports Thanks for the report. I've added Sylvain Beucler (my colleague who prepared +deb9u3) as they will likely be best placed to address this. Apologies, Sylvian, if you already saw this bug. -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
On 10/14/20 8:02 AM, Carsten Aulbert wrote:
> Package: sympa
> Version: 6.2.16~dfsg-3+deb9u3
> Severity: important
>
> Dear Maintainer(s),
>
> since applying the security update from 6.2.16~dfsg-3+deb9u2 to
> 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling,
> i.e. the web server reports
>
> 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr:
> "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se
> ssion.pm line 406.
> Use of uninitialized value $remote_addr in string ne at
> /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream,
> client: 192.16
> 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa
> HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host:
> "FQDN", referrer: "https://FQDN/sympa";
>
> My configuration may be a bit "nasty" and may contribute here:
>
> The external https access to sympa is TLS terminated by nginx acting as
> a reverse proxy which then sends the requests via a virtual bridge to
> the container where sympa is running.
>
> After comparing the changes between u2 and u3 I fear this change here
>
> char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
> [..]
> -return execve(WWSYMPA,argv,envp);
> +return execve(WWSYMPA, argv, myenvp);
>
> to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'}
> not to be set and thus session handling will not work anymore.
>
> Cheers
>
> Carsten
Comment from upstream:
Anyways the patch assumes that CGI mode has been deprecated. It is incompatible
with CGI mode supported by earlier
version of Sympa.
https://github.com/sympa-community/sympa/issues/1020#issuecomment-708223858
Regards
Racke
>
> -- System Information:
> Debian Release: 9.13
> APT prefers oldstable
> APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages sympa depends on:
> ii adduser 3.115
> ii ca-certificates 20200601~deb9u1
> ii dbconfig-common 2.0.8
> ii debconf [debconf-2.0] 1.5.61
> ii fonts-font-awesome4.7.0~dfsg-1
> ii init-system-helpers 1.48
> ii libarchive-zip-perl 1.59-1+deb9u1
> ii libc6 2.24-11+deb9u4
> ii libcgi-fast-perl 1:2.12-1
> ii libcgi-pm-perl4.35-1
> ii libclass-singleton-perl 1.5-1
> ii libcrypt-openssl-x509-perl1.8.7-3
> ii libcrypt-smime-perl 0.19-2
> ii libdatetime-format-mail-perl 0.4030-1
> ii libdbd-csv-perl 0.4900-1
> ii libdbd-mysql-perl 4.041-2
> ii libdbd-pg-perl3.5.3-1+b2
> ii libdbd-sqlite3-perl 1.54-1
> ii libdbi-perl 1.636-1+deb9u1
> ii libfcgi-perl 0.78-2
> ii libfile-copy-recursive-perl 0.38-1
> ii libfile-nfslock-perl 1.27-1
> ii libhtml-format-perl 2.12-1
> ii libhtml-stripscripts-parser-perl 1.03-1
> ii libhtml-tree-perl 5.03-2
> ii libintl-perl 1.26-2
> ii libio-stringy-perl2.111-2
> ii libjs-jquery 3.1.1-2+deb9u1
> ii libjs-jquery-migrate-11.4.1-1
> ii libjs-jquery-placeholder 2.3.1-2
> ii libjs-jquery-ui 1.12.1+dfsg-4
> ii libjs-modernizr 2.6.2+ds1-1
> ii libjs-twitter-bootstrap 2.0.2+dfsg-10
> ii libmail-dkim-perl 0.40-1
> ii libmailtools-perl 2.18-1
> ii libmime-charset-perl 1.012-2
> ii libmime-encwords-perl 1.014.3-2
> ii libmime-lite-html-perl1.24-2
> ii libmime-tools-perl5.508-1
> ii libmsgcat-perl1.03-6+b3
> ii libnet-cidr-perl 0.18-1
> ii libnet-dns-perl 1.07-1
> ii libnet-ldap-perl 1:0.6500+dfsg-1
> ii libnet-netmask-perl 1.9022-1
> ii libregexp-common-perl 2016060801-1
> ii libsoap-lite-perl 1.20-1
> ii libtemplate-perl 2.24-1.2+b3
> ii libterm-progressbar-perl 2.18-1
> ii libunicode-linebreak-perl 0.0.20160702-1+b1
> ii libxml-libxml-perl2.0128+dfsg-1+deb9u1
> ii lsb-base 9.20161125
> ii mhonarc 2.6.19-2
> ii perl 5.24.1-3+deb9u7
> ii postfix [mail-transport-agent]3.1.15-0+deb9u1
> ii rsyslog [system-log-daemon] 8.24.0-1
> ii sqlite3 3.16.2-5+deb9u2
>
> Versions of packages sympa recommends:
> pn apache2-sue
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
On 10/14/20 8:02 AM, Carsten Aulbert wrote:
> Package: sympa
> Version: 6.2.16~dfsg-3+deb9u3
> Severity: important
>
> Dear Maintainer(s),
>
> since applying the security update from 6.2.16~dfsg-3+deb9u2 to
> 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling,
> i.e. the web server reports
>
> 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr:
> "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se
> ssion.pm line 406.
> Use of uninitialized value $remote_addr in string ne at
> /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream,
> client: 192.16
> 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa
> HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host:
> "FQDN", referrer: "https://FQDN/sympa";
>
> My configuration may be a bit "nasty" and may contribute here:
>
> The external https access to sympa is TLS terminated by nginx acting as
> a reverse proxy which then sends the requests via a virtual bridge to
> the container where sympa is running.
>
> After comparing the changes between u2 and u3 I fear this change here
>
> char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
> [..]
> -return execve(WWSYMPA,argv,envp);
> +return execve(WWSYMPA, argv, myenvp);
>
> to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'}
> not to be set and thus session handling will not work anymore.
>
> Cheers
>
> Carsten
Looks like the attached patch is the correct one for older Sympa versions.
Regards
Racke
>
> -- System Information:
> Debian Release: 9.13
> APT prefers oldstable
> APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages sympa depends on:
> ii adduser 3.115
> ii ca-certificates 20200601~deb9u1
> ii dbconfig-common 2.0.8
> ii debconf [debconf-2.0] 1.5.61
> ii fonts-font-awesome4.7.0~dfsg-1
> ii init-system-helpers 1.48
> ii libarchive-zip-perl 1.59-1+deb9u1
> ii libc6 2.24-11+deb9u4
> ii libcgi-fast-perl 1:2.12-1
> ii libcgi-pm-perl4.35-1
> ii libclass-singleton-perl 1.5-1
> ii libcrypt-openssl-x509-perl1.8.7-3
> ii libcrypt-smime-perl 0.19-2
> ii libdatetime-format-mail-perl 0.4030-1
> ii libdbd-csv-perl 0.4900-1
> ii libdbd-mysql-perl 4.041-2
> ii libdbd-pg-perl3.5.3-1+b2
> ii libdbd-sqlite3-perl 1.54-1
> ii libdbi-perl 1.636-1+deb9u1
> ii libfcgi-perl 0.78-2
> ii libfile-copy-recursive-perl 0.38-1
> ii libfile-nfslock-perl 1.27-1
> ii libhtml-format-perl 2.12-1
> ii libhtml-stripscripts-parser-perl 1.03-1
> ii libhtml-tree-perl 5.03-2
> ii libintl-perl 1.26-2
> ii libio-stringy-perl2.111-2
> ii libjs-jquery 3.1.1-2+deb9u1
> ii libjs-jquery-migrate-11.4.1-1
> ii libjs-jquery-placeholder 2.3.1-2
> ii libjs-jquery-ui 1.12.1+dfsg-4
> ii libjs-modernizr 2.6.2+ds1-1
> ii libjs-twitter-bootstrap 2.0.2+dfsg-10
> ii libmail-dkim-perl 0.40-1
> ii libmailtools-perl 2.18-1
> ii libmime-charset-perl 1.012-2
> ii libmime-encwords-perl 1.014.3-2
> ii libmime-lite-html-perl1.24-2
> ii libmime-tools-perl5.508-1
> ii libmsgcat-perl1.03-6+b3
> ii libnet-cidr-perl 0.18-1
> ii libnet-dns-perl 1.07-1
> ii libnet-ldap-perl 1:0.6500+dfsg-1
> ii libnet-netmask-perl 1.9022-1
> ii libregexp-common-perl 2016060801-1
> ii libsoap-lite-perl 1.20-1
> ii libtemplate-perl 2.24-1.2+b3
> ii libterm-progressbar-perl 2.18-1
> ii libunicode-linebreak-perl 0.0.20160702-1+b1
> ii libxml-libxml-perl2.0128+dfsg-1+deb9u1
> ii lsb-base 9.20161125
> ii mhonarc 2.6.19-2
> ii perl 5.24.1-3+deb9u7
> ii postfix [mail-transport-agent]3.1.15-0+deb9u1
> ii rsyslog [system-log-daemon] 8.24.0-1
> ii sqlite3 3.16.2-5+deb9u2
>
> Versions of packages sympa recommends:
> pn apache2-suexec
> pn default-mysql-server | postgresql
> pn doc-base
> pn libapache2-mod-fcgid
> pn lib
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Package: sympa
Version: 6.2.16~dfsg-3+deb9u3
Severity: important
Dear Maintainer(s),
since applying the security update from 6.2.16~dfsg-3+deb9u2 to
6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling,
i.e. the web server reports
2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr:
"Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se
ssion.pm line 406.
Use of uninitialized value $remote_addr in string ne at
/usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream,
client: 192.16
8.100.2, server: lists.welcomes-you.com, request: "POST /sympa
HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host:
"FQDN", referrer: "https://FQDN/sympa";
My configuration may be a bit "nasty" and may contribute here:
The external https access to sympa is TLS terminated by nginx acting as
a reverse proxy which then sends the requests via a virtual bridge to
the container where sympa is running.
After comparing the changes between u2 and u3 I fear this change here
char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
[..]
-return execve(WWSYMPA,argv,envp);
+return execve(WWSYMPA, argv, myenvp);
to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'}
not to be set and thus session handling will not work anymore.
Cheers
Carsten
-- System Information:
Debian Release: 9.13
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sympa depends on:
ii adduser 3.115
ii ca-certificates 20200601~deb9u1
ii dbconfig-common 2.0.8
ii debconf [debconf-2.0] 1.5.61
ii fonts-font-awesome4.7.0~dfsg-1
ii init-system-helpers 1.48
ii libarchive-zip-perl 1.59-1+deb9u1
ii libc6 2.24-11+deb9u4
ii libcgi-fast-perl 1:2.12-1
ii libcgi-pm-perl4.35-1
ii libclass-singleton-perl 1.5-1
ii libcrypt-openssl-x509-perl1.8.7-3
ii libcrypt-smime-perl 0.19-2
ii libdatetime-format-mail-perl 0.4030-1
ii libdbd-csv-perl 0.4900-1
ii libdbd-mysql-perl 4.041-2
ii libdbd-pg-perl3.5.3-1+b2
ii libdbd-sqlite3-perl 1.54-1
ii libdbi-perl 1.636-1+deb9u1
ii libfcgi-perl 0.78-2
ii libfile-copy-recursive-perl 0.38-1
ii libfile-nfslock-perl 1.27-1
ii libhtml-format-perl 2.12-1
ii libhtml-stripscripts-parser-perl 1.03-1
ii libhtml-tree-perl 5.03-2
ii libintl-perl 1.26-2
ii libio-stringy-perl2.111-2
ii libjs-jquery 3.1.1-2+deb9u1
ii libjs-jquery-migrate-11.4.1-1
ii libjs-jquery-placeholder 2.3.1-2
ii libjs-jquery-ui 1.12.1+dfsg-4
ii libjs-modernizr 2.6.2+ds1-1
ii libjs-twitter-bootstrap 2.0.2+dfsg-10
ii libmail-dkim-perl 0.40-1
ii libmailtools-perl 2.18-1
ii libmime-charset-perl 1.012-2
ii libmime-encwords-perl 1.014.3-2
ii libmime-lite-html-perl1.24-2
ii libmime-tools-perl5.508-1
ii libmsgcat-perl1.03-6+b3
ii libnet-cidr-perl 0.18-1
ii libnet-dns-perl 1.07-1
ii libnet-ldap-perl 1:0.6500+dfsg-1
ii libnet-netmask-perl 1.9022-1
ii libregexp-common-perl 2016060801-1
ii libsoap-lite-perl 1.20-1
ii libtemplate-perl 2.24-1.2+b3
ii libterm-progressbar-perl 2.18-1
ii libunicode-linebreak-perl 0.0.20160702-1+b1
ii libxml-libxml-perl2.0128+dfsg-1+deb9u1
ii lsb-base 9.20161125
ii mhonarc 2.6.19-2
ii perl 5.24.1-3+deb9u7
ii postfix [mail-transport-agent]3.1.15-0+deb9u1
ii rsyslog [system-log-daemon] 8.24.0-1
ii sqlite3 3.16.2-5+deb9u2
Versions of packages sympa recommends:
pn apache2-suexec
pn default-mysql-server | postgresql
pn doc-base
pn libapache2-mod-fcgid
pn libcrypt-ciphersaber-perl
ii libio-socket-ssl-perl 2.044-1
ii locales2.24-11+deb9u4
ii logrotate 3.11.0-0.1
Versions of packages sympa suggests:
pn libauthcas-perl
pn libdbd-odbc-perl
pn libdbd-oracle-perl
ii nginx-light [httpd-cgi] 1.10.3-1+deb9u5
-- debconf informa
