Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package sympa It contains 2 fixes: One for a RC bug about conffile handling: https://bugs.debian.org/774877 Another one about a vulnerability discovered recently in the web interface (wwsympa) which allows one to send himself by himself any readable file by the sympa user on the filesystem. debdiff is attached. Thanks, unblock sympa/6.1.23~dfsg-2 -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
diff -Nru sympa-6.1.23~dfsg/debian/changelog sympa-6.1.23~dfsg/debian/changelog --- sympa-6.1.23~dfsg/debian/changelog 2014-09-17 20:48:59.000000000 +0200 +++ sympa-6.1.23~dfsg/debian/changelog 2015-01-16 02:48:24.000000000 +0100 @@ -1,3 +1,12 @@ +sympa (6.1.23~dfsg-2) unstable; urgency=medium + + * Fix a bug in /etc/sympa/facility conffile handling (Closes: #774877) + * Add a patch to fix a vulnerability in the web interface (wwsympa) + which allows one to send himself by email any readable file by the + sympa user on the filesystem. + + -- Emmanuel Bouthenot <kol...@debian.org> Fri, 16 Jan 2015 02:48:12 +0100 + sympa (6.1.23~dfsg-1) unstable; urgency=medium * New upstream release diff -Nru sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability --- sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability 1970-01-01 01:00:00.000000000 +0100 +++ sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability 2015-01-16 02:41:27.000000000 +0100 @@ -0,0 +1,29 @@ +Description: Fix a vulnerability in the web interface (wwsympa) + which allows one to send himself by email any readable file by the + sympa user on the filesystem +Author: David Verdin <david.ver...@renater.fr> +Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch +Applied-Upstream: 6.1.24 +Last-Update: 2015-01-16 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/wwsympa/wwsympa.fcgi.in ++++ b/wwsympa/wwsympa.fcgi.in +@@ -15758,9 +15758,14 @@ + $pages_url = $in{'url'}; + + # parse return the MIME::Lite part to send +- my $MIMEmail = $mailHTML->parse($pages_url); +- +- $in{'body'} = $MIMEmail->as_string; ++ $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']); ++ my $MIMEmail = eval { $mailHTML->parse($pages_url) }; ++ if ($MIMEmail) { ++ $in{'body'} = $MIMEmail->as_string; ++ } else { ++ report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'}); ++ return undef; ++ } + + }else{ + diff -Nru sympa-6.1.23~dfsg/debian/patches/series sympa-6.1.23~dfsg/debian/patches/series --- sympa-6.1.23~dfsg/debian/patches/series 2014-03-22 09:04:27.000000000 +0100 +++ sympa-6.1.23~dfsg/debian/patches/series 2015-01-16 02:32:49.000000000 +0100 @@ -1,3 +1,4 @@ +0001_fix_web_interface_vulnerability 1002_mysql_default_charset_engine.patch 1004_wizard_support_batch_and_display_mode.patch 1005_wizard_emit_cmd_and_newline_when_dying.patch diff -Nru sympa-6.1.23~dfsg/debian/sympa.preinst sympa-6.1.23~dfsg/debian/sympa.preinst --- sympa-6.1.23~dfsg/debian/sympa.preinst 2013-10-03 13:46:30.000000000 +0200 +++ sympa-6.1.23~dfsg/debian/sympa.preinst 2015-01-16 02:09:47.000000000 +0100 @@ -36,6 +36,16 @@ done fi + +case "$1" in + install|upgrade) + if dpkg --compare-versions "$2" "<" "6.1.22~dfsg-1"; then + # delete sympa facility before managing it as a conffile (#774877) + rm -f /etc/sympa/facility + fi + ;; +esac + #DEBHELPER# exit 0
