Bug#961491: marked as done (CVE-2020-10936: Security flaws in setuid wrappers)

2020-12-28 Thread Debian Bug Tracking System 
Your message dated Mon, 28 Dec 2020 13:53:39 +
with message-id 
and subject line Bug#961491: fixed in sympa 6.2.40~dfsg-1+deb10u1
has caused the Debian Bug report #961491,
regarding CVE-2020-10936: Security flaws in setuid wrappers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961491
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: sympa
severity: critical
tags: upstream security patch

Security advisory: https://sympa-community.github.io/security/2020-002.html

Excerpt:

--snip--
A vulnerability has been discovered in Sympa web interface by which attacker 
can execute arbitrary code with root
privileges.

Sympa uses two sorts of setuid wrappers:

FastCGI wrappers
newaliases wrapper

The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) 
were used to make the web interface
running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the 
alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment 
variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed users.
--snap--

Affects all versions of Sympa. Patch is attached.

The following change should also be considered to switch off installation as 
setuid, which is not needed in most cases:
https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f

See also 
https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 
which claims that the patch
is incomplete.

CVE is not yet published.

Regards
Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
commit 3f8449c647e5ab32cf6f8837cb600c1756b6189c
Author: IKEDA Soji 
Date:   Fri Mar 27 21:28:18 2020 +0900

Sympa SA 2020-002 (candidate): Setuid wrappers should clear environment variables to avoid exploits.

diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
index f4c6a66..435d40c 100644
--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
+++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid());
 setregid(getegid(),getegid());
 argv[0] = SYMPASOAP;
-return execve(SYMPASOAP,argv,envp);
+return execve(SYMPASOAP, argv, myenvp);
 }
diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
index c66c7f8..34198ec 100644
--- a/src/cgi/wwsympa-wrapper.fcgi.c
+++ b/src/cgi/wwsympa-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid()); // Added to fix the segfault
 setregid(getegid(),getegid()); // Added to fix the segfault
 argv[0] = WWSYMPA;
-return execve(WWSYMPA,argv,envp);
+return execve(WWSYMPA, argv, myenvp);
 }
diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c
index a399218..a1e5935 100644
--- a/src/libexec/sympa_newaliases-wrapper.c
+++ b/src/libexec/sympa_newaliases-wrapper.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,

Bug#961491: marked as done (CVE-2020-10936: Security flaws in setuid wrappers)

2020-09-25 Thread Debian Bug Tracking System 
Your message dated Fri, 25 Sep 2020 08:38:52 +
with message-id 
and subject line Bug#961491: fixed in sympa 6.2.40~dfsg-5
has caused the Debian Bug report #961491,
regarding CVE-2020-10936: Security flaws in setuid wrappers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961491
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: sympa
severity: critical
tags: upstream security patch

Security advisory: https://sympa-community.github.io/security/2020-002.html

Excerpt:

--snip--
A vulnerability has been discovered in Sympa web interface by which attacker 
can execute arbitrary code with root
privileges.

Sympa uses two sorts of setuid wrappers:

FastCGI wrappers
newaliases wrapper

The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) 
were used to make the web interface
running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the 
alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment 
variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed users.
--snap--

Affects all versions of Sympa. Patch is attached.

The following change should also be considered to switch off installation as 
setuid, which is not needed in most cases:
https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f

See also 
https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 
which claims that the patch
is incomplete.

CVE is not yet published.

Regards
Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
commit 3f8449c647e5ab32cf6f8837cb600c1756b6189c
Author: IKEDA Soji 
Date:   Fri Mar 27 21:28:18 2020 +0900

Sympa SA 2020-002 (candidate): Setuid wrappers should clear environment variables to avoid exploits.

diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
index f4c6a66..435d40c 100644
--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
+++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid());
 setregid(getegid(),getegid());
 argv[0] = SYMPASOAP;
-return execve(SYMPASOAP,argv,envp);
+return execve(SYMPASOAP, argv, myenvp);
 }
diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
index c66c7f8..34198ec 100644
--- a/src/cgi/wwsympa-wrapper.fcgi.c
+++ b/src/cgi/wwsympa-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid()); // Added to fix the segfault
 setregid(getegid(),getegid()); // Added to fix the segfault
 argv[0] = WWSYMPA;
-return execve(WWSYMPA,argv,envp);
+return execve(WWSYMPA, argv, myenvp);
 }
diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c
index a399218..a1e5935 100644
--- a/src/libexec/sympa_newaliases-wrapper.c
+++ b/src/libexec/sympa_newaliases-wrapper.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,