Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi, From what I understand the FCGI wrapper was used as CGI through e.g. fcgiwrap, and upstream recommended to switch to fcgi-spawn following https://sympa-community.github.io/manual/install/configure-http-server-spawnfcgi.html Carsten agreed and suggested we add a note about this in the Debian documentation, so I plan to add a note in README.Debian or NEWS.Debian. https://github.com/sympa-community/sympa/issues/1020#issuecomment-710763168 Given there were no other reports I believe this addresses the issue. Cheers! Sylvain Beucler Debian LTS Team
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi, On Thu, Oct 15, 2020 at 10:20:14AM +0200, Sylvain Beucler wrote: > For reasons stated in dla-needed.txt, and more importantly for reasons > mentioned internally (see elts-git or Holger), I can't dedicate more > time this month. Sylvain, thanks for being explicit! (and still giving it a quick lock!) Someone else: please step in. (and document so in dla-needed.txt and the bts.) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C Stop saying that we are all in the same boat. We’re all in the same storm. But we’re not all in the same boat. signature.asc Description: PGP signature
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Hi, Thank you both for notifying me. For reasons stated in dla-needed.txt, and more importantly for reasons mentioned internally (see elts-git or Holger), I can't dedicate more time this month. >From a quick look: - the patch for older versions is the same besides the copyright notices. - I'm not sure why the FCGI wrapper (which is daemonized and multi-requests) would need to query its environment for REMOTE_ADDR (which changes with each request and is normally sent to the FCGI daemon through its socket), Carsten may need to provide additional details and/or check https://github.com/sympa-community/sympa/issues/1020 for work-arounds. Cheers! Sylvain
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
[adding b...@debian.org to CC] Hi Carsten, > since applying the security update from 6.2.16~dfsg-3+deb9u2 to > 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling, > i.e. the web server reports Thanks for the report. I've added Sylvain Beucler (my colleague who prepared +deb9u3) as they will likely be best placed to address this. Apologies, Sylvian, if you already saw this bug. -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
On 10/14/20 8:02 AM, Carsten Aulbert wrote: > Package: sympa > Version: 6.2.16~dfsg-3+deb9u3 > Severity: important > > Dear Maintainer(s), > > since applying the security update from 6.2.16~dfsg-3+deb9u2 to > 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling, > i.e. the web server reports > > 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr: > "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se > ssion.pm line 406. > Use of uninitialized value $remote_addr in string ne at > /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream, > client: 192.16 > 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa > HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: > "FQDN", referrer: "https://FQDN/sympa"; > > My configuration may be a bit "nasty" and may contribute here: > > The external https access to sympa is TLS terminated by nginx acting as > a reverse proxy which then sends the requests via a virtual bridge to > the container where sympa is running. > > After comparing the changes between u2 and u3 I fear this change here > > char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; > [..] > -return execve(WWSYMPA,argv,envp); > +return execve(WWSYMPA, argv, myenvp); > > to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'} > not to be set and thus session handling will not work anymore. > > Cheers > > Carsten Comment from upstream: Anyways the patch assumes that CGI mode has been deprecated. It is incompatible with CGI mode supported by earlier version of Sympa. https://github.com/sympa-community/sympa/issues/1020#issuecomment-708223858 Regards Racke > > -- System Information: > Debian Release: 9.13 > APT prefers oldstable > APT policy: (500, 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages sympa depends on: > ii adduser 3.115 > ii ca-certificates 20200601~deb9u1 > ii dbconfig-common 2.0.8 > ii debconf [debconf-2.0] 1.5.61 > ii fonts-font-awesome4.7.0~dfsg-1 > ii init-system-helpers 1.48 > ii libarchive-zip-perl 1.59-1+deb9u1 > ii libc6 2.24-11+deb9u4 > ii libcgi-fast-perl 1:2.12-1 > ii libcgi-pm-perl4.35-1 > ii libclass-singleton-perl 1.5-1 > ii libcrypt-openssl-x509-perl1.8.7-3 > ii libcrypt-smime-perl 0.19-2 > ii libdatetime-format-mail-perl 0.4030-1 > ii libdbd-csv-perl 0.4900-1 > ii libdbd-mysql-perl 4.041-2 > ii libdbd-pg-perl3.5.3-1+b2 > ii libdbd-sqlite3-perl 1.54-1 > ii libdbi-perl 1.636-1+deb9u1 > ii libfcgi-perl 0.78-2 > ii libfile-copy-recursive-perl 0.38-1 > ii libfile-nfslock-perl 1.27-1 > ii libhtml-format-perl 2.12-1 > ii libhtml-stripscripts-parser-perl 1.03-1 > ii libhtml-tree-perl 5.03-2 > ii libintl-perl 1.26-2 > ii libio-stringy-perl2.111-2 > ii libjs-jquery 3.1.1-2+deb9u1 > ii libjs-jquery-migrate-11.4.1-1 > ii libjs-jquery-placeholder 2.3.1-2 > ii libjs-jquery-ui 1.12.1+dfsg-4 > ii libjs-modernizr 2.6.2+ds1-1 > ii libjs-twitter-bootstrap 2.0.2+dfsg-10 > ii libmail-dkim-perl 0.40-1 > ii libmailtools-perl 2.18-1 > ii libmime-charset-perl 1.012-2 > ii libmime-encwords-perl 1.014.3-2 > ii libmime-lite-html-perl1.24-2 > ii libmime-tools-perl5.508-1 > ii libmsgcat-perl1.03-6+b3 > ii libnet-cidr-perl 0.18-1 > ii libnet-dns-perl 1.07-1 > ii libnet-ldap-perl 1:0.6500+dfsg-1 > ii libnet-netmask-perl 1.9022-1 > ii libregexp-common-perl 2016060801-1 > ii libsoap-lite-perl 1.20-1 > ii libtemplate-perl 2.24-1.2+b3 > ii libterm-progressbar-perl 2.18-1 > ii libunicode-linebreak-perl 0.0.20160702-1+b1 > ii libxml-libxml-perl2.0128+dfsg-1+deb9u1 > ii lsb-base 9.20161125 > ii mhonarc 2.6.19-2 > ii perl 5.24.1-3+deb9u7 > ii postfix [mail-transport-agent]3.1.15-0+deb9u1 > ii rsyslog [system-log-daemon] 8.24.0-1 > ii sqlite3 3.16.2-5+deb9u2 > > Versions of packages sympa recommends: > pn apache2-sue
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
On 10/14/20 8:02 AM, Carsten Aulbert wrote: > Package: sympa > Version: 6.2.16~dfsg-3+deb9u3 > Severity: important > > Dear Maintainer(s), > > since applying the security update from 6.2.16~dfsg-3+deb9u2 to > 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling, > i.e. the web server reports > > 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr: > "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se > ssion.pm line 406. > Use of uninitialized value $remote_addr in string ne at > /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream, > client: 192.16 > 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa > HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: > "FQDN", referrer: "https://FQDN/sympa"; > > My configuration may be a bit "nasty" and may contribute here: > > The external https access to sympa is TLS terminated by nginx acting as > a reverse proxy which then sends the requests via a virtual bridge to > the container where sympa is running. > > After comparing the changes between u2 and u3 I fear this change here > > char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; > [..] > -return execve(WWSYMPA,argv,envp); > +return execve(WWSYMPA, argv, myenvp); > > to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'} > not to be set and thus session handling will not work anymore. > > Cheers > > Carsten Looks like the attached patch is the correct one for older Sympa versions. Regards Racke > > -- System Information: > Debian Release: 9.13 > APT prefers oldstable > APT policy: (500, 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores) > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 > (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages sympa depends on: > ii adduser 3.115 > ii ca-certificates 20200601~deb9u1 > ii dbconfig-common 2.0.8 > ii debconf [debconf-2.0] 1.5.61 > ii fonts-font-awesome4.7.0~dfsg-1 > ii init-system-helpers 1.48 > ii libarchive-zip-perl 1.59-1+deb9u1 > ii libc6 2.24-11+deb9u4 > ii libcgi-fast-perl 1:2.12-1 > ii libcgi-pm-perl4.35-1 > ii libclass-singleton-perl 1.5-1 > ii libcrypt-openssl-x509-perl1.8.7-3 > ii libcrypt-smime-perl 0.19-2 > ii libdatetime-format-mail-perl 0.4030-1 > ii libdbd-csv-perl 0.4900-1 > ii libdbd-mysql-perl 4.041-2 > ii libdbd-pg-perl3.5.3-1+b2 > ii libdbd-sqlite3-perl 1.54-1 > ii libdbi-perl 1.636-1+deb9u1 > ii libfcgi-perl 0.78-2 > ii libfile-copy-recursive-perl 0.38-1 > ii libfile-nfslock-perl 1.27-1 > ii libhtml-format-perl 2.12-1 > ii libhtml-stripscripts-parser-perl 1.03-1 > ii libhtml-tree-perl 5.03-2 > ii libintl-perl 1.26-2 > ii libio-stringy-perl2.111-2 > ii libjs-jquery 3.1.1-2+deb9u1 > ii libjs-jquery-migrate-11.4.1-1 > ii libjs-jquery-placeholder 2.3.1-2 > ii libjs-jquery-ui 1.12.1+dfsg-4 > ii libjs-modernizr 2.6.2+ds1-1 > ii libjs-twitter-bootstrap 2.0.2+dfsg-10 > ii libmail-dkim-perl 0.40-1 > ii libmailtools-perl 2.18-1 > ii libmime-charset-perl 1.012-2 > ii libmime-encwords-perl 1.014.3-2 > ii libmime-lite-html-perl1.24-2 > ii libmime-tools-perl5.508-1 > ii libmsgcat-perl1.03-6+b3 > ii libnet-cidr-perl 0.18-1 > ii libnet-dns-perl 1.07-1 > ii libnet-ldap-perl 1:0.6500+dfsg-1 > ii libnet-netmask-perl 1.9022-1 > ii libregexp-common-perl 2016060801-1 > ii libsoap-lite-perl 1.20-1 > ii libtemplate-perl 2.24-1.2+b3 > ii libterm-progressbar-perl 2.18-1 > ii libunicode-linebreak-perl 0.0.20160702-1+b1 > ii libxml-libxml-perl2.0128+dfsg-1+deb9u1 > ii lsb-base 9.20161125 > ii mhonarc 2.6.19-2 > ii perl 5.24.1-3+deb9u7 > ii postfix [mail-transport-agent]3.1.15-0+deb9u1 > ii rsyslog [system-log-daemon] 8.24.0-1 > ii sqlite3 3.16.2-5+deb9u2 > > Versions of packages sympa recommends: > pn apache2-suexec > pn default-mysql-server | postgresql > pn doc-base > pn libapache2-mod-fcgid > pn lib
Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Package: sympa Version: 6.2.16~dfsg-3+deb9u3 Severity: important Dear Maintainer(s), since applying the security update from 6.2.16~dfsg-3+deb9u2 to 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling, i.e. the web server reports 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr: "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se ssion.pm line 406. Use of uninitialized value $remote_addr in string ne at /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream, client: 192.16 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: "FQDN", referrer: "https://FQDN/sympa"; My configuration may be a bit "nasty" and may contribute here: The external https access to sympa is TLS terminated by nginx acting as a reverse proxy which then sends the requests via a virtual bridge to the container where sympa is running. After comparing the changes between u2 and u3 I fear this change here char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; [..] -return execve(WWSYMPA,argv,envp); +return execve(WWSYMPA, argv, myenvp); to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'} not to be set and thus session handling will not work anymore. Cheers Carsten -- System Information: Debian Release: 9.13 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sympa depends on: ii adduser 3.115 ii ca-certificates 20200601~deb9u1 ii dbconfig-common 2.0.8 ii debconf [debconf-2.0] 1.5.61 ii fonts-font-awesome4.7.0~dfsg-1 ii init-system-helpers 1.48 ii libarchive-zip-perl 1.59-1+deb9u1 ii libc6 2.24-11+deb9u4 ii libcgi-fast-perl 1:2.12-1 ii libcgi-pm-perl4.35-1 ii libclass-singleton-perl 1.5-1 ii libcrypt-openssl-x509-perl1.8.7-3 ii libcrypt-smime-perl 0.19-2 ii libdatetime-format-mail-perl 0.4030-1 ii libdbd-csv-perl 0.4900-1 ii libdbd-mysql-perl 4.041-2 ii libdbd-pg-perl3.5.3-1+b2 ii libdbd-sqlite3-perl 1.54-1 ii libdbi-perl 1.636-1+deb9u1 ii libfcgi-perl 0.78-2 ii libfile-copy-recursive-perl 0.38-1 ii libfile-nfslock-perl 1.27-1 ii libhtml-format-perl 2.12-1 ii libhtml-stripscripts-parser-perl 1.03-1 ii libhtml-tree-perl 5.03-2 ii libintl-perl 1.26-2 ii libio-stringy-perl2.111-2 ii libjs-jquery 3.1.1-2+deb9u1 ii libjs-jquery-migrate-11.4.1-1 ii libjs-jquery-placeholder 2.3.1-2 ii libjs-jquery-ui 1.12.1+dfsg-4 ii libjs-modernizr 2.6.2+ds1-1 ii libjs-twitter-bootstrap 2.0.2+dfsg-10 ii libmail-dkim-perl 0.40-1 ii libmailtools-perl 2.18-1 ii libmime-charset-perl 1.012-2 ii libmime-encwords-perl 1.014.3-2 ii libmime-lite-html-perl1.24-2 ii libmime-tools-perl5.508-1 ii libmsgcat-perl1.03-6+b3 ii libnet-cidr-perl 0.18-1 ii libnet-dns-perl 1.07-1 ii libnet-ldap-perl 1:0.6500+dfsg-1 ii libnet-netmask-perl 1.9022-1 ii libregexp-common-perl 2016060801-1 ii libsoap-lite-perl 1.20-1 ii libtemplate-perl 2.24-1.2+b3 ii libterm-progressbar-perl 2.18-1 ii libunicode-linebreak-perl 0.0.20160702-1+b1 ii libxml-libxml-perl2.0128+dfsg-1+deb9u1 ii lsb-base 9.20161125 ii mhonarc 2.6.19-2 ii perl 5.24.1-3+deb9u7 ii postfix [mail-transport-agent]3.1.15-0+deb9u1 ii rsyslog [system-log-daemon] 8.24.0-1 ii sqlite3 3.16.2-5+deb9u2 Versions of packages sympa recommends: pn apache2-suexec pn default-mysql-server | postgresql pn doc-base pn libapache2-mod-fcgid pn libcrypt-ciphersaber-perl ii libio-socket-ssl-perl 2.044-1 ii locales2.24-11+deb9u4 ii logrotate 3.11.0-0.1 Versions of packages sympa suggests: pn libauthcas-perl pn libdbd-odbc-perl pn libdbd-oracle-perl ii nginx-light [httpd-cgi] 1.10.3-1+deb9u5 -- debconf informa