Your message dated Mon, 25 Aug 2008 16:24:16 +0200
with message-id <[EMAIL PROTECTED]>
and subject line CLOSED - Re: Bug#496518: Insecure use of /tmp in sympa_wizard
may lead to system damage
has caused the Debian Bug report #496518,
regarding Insecure use of /tmp in sympa_wizard may lead to system damage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
496518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496518
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: sympa
Version: 5.3.4-5.1
Severity: critical
Tags: security
Justification: root security hole
AFAICT (and thanks to Thijs Kinkhorst <[EMAIL PROTECTED]> :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more
insecure use of /tmp in sympa.
One quite nasty is the one in /usr/lib/sympa/bin/sympa_wizard.pl, as this
script is used during sympa's postinst, so with root provileges, IMHO.
Note that the sympa_wizard.pl which needs to be fixed is in debian/ in package
sources (see #496514). Still, the insecure code is also present in upstream's
sympa_wizard.pl.
Will file separate report for another issue found with less critical severity.
Hope this helps
-- System Information:
Debian Release: lenny/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sympa depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii exim4-daemon-light [mail-tra 4.69-6 lightweight Exim MTA (v4) daemon
pn libarchive-zip-perl <none> (no description available)
ii libc6 2.7-13 GNU C Library: Shared libraries
pn libcgi-fast-perl <none> (no description available)
pn libcrypt-ciphersaber-perl <none> (no description available)
pn libdbd-mysql-perl | libdbd-p <none> (no description available)
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module
ii libintl-perl 1.16-4 Uniforum message translations syst
ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a
ii libmailtools-perl 2.03-1 Manipulate email in perl programs
pn libmd5-perl <none> (no description available)
ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m
pn libmsgcat-perl <none> (no description available)
pn libnet-ldap-perl <none> (no description available)
pn libtemplate-perl <none> (no description available)
ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li
pn mhonarc <none> (no description available)
ii perl [libmime-base64-perl] 5.10.0-13 Larry Wall's Practical Extraction
pn perl-suid <none> (no description available)
ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon
Versions of packages sympa recommends:
ii doc-base 0.8.16 utilities to manage online documen
ii logrotate 3.7.1-3 Log rotation utility
Versions of packages sympa suggests:
ii apache2-mpm-prefork [httpd] 2.2.9-7 Apache HTTP Server - traditional n
pn libapache-mod-fastcgi <none> (no description available)
pn mysql-server | postgresql <none> (no description available)
ii openssl 0.9.8g-13 Secure Socket Layer (SSL) binary a
--- End Message ---
--- Begin Message ---
On Mon, Aug 25, 2008 at 02:22:54PM +0200, Olivier Berger wrote:
>
> AFAICT (and thanks to Thijs Kinkhorst <[EMAIL PROTECTED]> :
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more
> insecure use of /tmp in sympa.
>
> One quite nasty is the one in /usr/lib/sympa/bin/sympa_wizard.pl, as this
> script is used during sympa's postinst, so with root provileges, IMHO.
>
> Note that the sympa_wizard.pl which needs to be fixed is in debian/ in
> package sources (see #496514). Still, the insecure code is also present in
> upstream's sympa_wizard.pl.
>
Sh*t. There's no problem in sympa_wizard.pl actually.
The current sympa_wizard doesn't use any insecure file in /tmp.
This is again a "false positive", as the $new_wwsympa_conf =
'/tmp/wwsympa.conf' and $new_sympa_conf = '/tmp/sympa.conf' aren't used for a
long time
(http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa_wizard.pl?view=diff&r1=1613&r2=1614)...
but the fix was incompletely done (remaining $new_[ww]sympa_conf variables
although @new_[ww]sympa_conf are the only ones used).
Thus, the attached patch may be better, to finally get rid of the /tmp path.
Too bas, this wasn't really obvious looking at the code :(.
Sorry about bothering.
diff -a -u -i -b -w -r1.17 sympa_wizard.pl
--- debian/sympa_wizard.pl 9 Apr 2008 14:59:13 -0000 1.17
+++ debian/sympa_wizard.pl 25 Aug 2008 14:23:24 -0000
@@ -49,9 +49,6 @@
## Configuration
-my $new_wwsympa_conf = '/tmp/wwsympa.conf';
-my $new_sympa_conf = '/tmp/sympa.conf';
-
my $wwsconf = {};
## Change to your wwsympa.conf location
@@ -716,11 +713,11 @@
## Write new config files
unless (open (WWSYMPA,"> $wwsympa_conf")){
- die "unable to open $new_wwsympa_conf : $!";
+ die "unable to open $wwsympa_conf : $!";
};
unless (open (SYMPA,"> $sympa_conf")){
- die "unable to open $new_sympa_conf : $!";
+ die "unable to open $sympa_conf : $!";
};
print SYMPA @new_sympa_conf;
--- End Message ---
