Your message dated Wed, 5 Aug 2009 20:32:32 +0200
with message-id <20090805183231.gv13...@jones.dk>
and subject line Bug fixed upstream since Sympa 5.4.4
has caused the Debian Bug report #496520,
regarding Insecure use of /tmp in sympa scripts
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
496520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496520
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sympa
Version: 5.3.4-5.1
Severity: grave
Tags: security
Justification: user security hole
AFAICT (and thanks to Thijs Kinkhorst <th...@debian.org> :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more
insecure use of /tmp in sympa.
Besides the one in #496518 there is also a problem with
/usr/lib/sympa/bin/tools.pl in the smime_sign_check() code, which uses a /tmp
temporary file in an unsecure manner.
AFAICT, this may be exploited to overwrite contents of a file with provileges
of the user sympa runs under, but in a non so predictable way as the filename
changes (includes process pid, I guess). And of course this would only occur if
mime signing was used in sympa... which is not so frequent maybe.
This is not most serious, as may only be exploited in specific conditions, but
still, needs to be addressed, IMHO.
This is upstream code, not Debian specific, AFAICT.
Note also that in the grep done in the package files
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#31) there are (besides
#496518) some other apprent issues, but which are false positives :
/usr/lib/sympa/bin/tt2.pl (strange perl comment ? to be confirmed)
/usr/lib/sympa/bin/CAS.pm (POD example)
/usr/lib/sympa/bin/sympa_soap_client.pl (unused code in example script, see
#496515)
Hope this helps,
-- System Information:
Debian Release: lenny/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sympa depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii exim4-daemon-light [mail-tra 4.69-6 lightweight Exim MTA (v4) daemon
pn libarchive-zip-perl <none> (no description available)
ii libc6 2.7-13 GNU C Library: Shared libraries
pn libcgi-fast-perl <none> (no description available)
pn libcrypt-ciphersaber-perl <none> (no description available)
pn libdbd-mysql-perl | libdbd-p <none> (no description available)
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module
ii libintl-perl 1.16-4 Uniforum message translations syst
ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a
ii libmailtools-perl 2.03-1 Manipulate email in perl programs
pn libmd5-perl <none> (no description available)
ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m
pn libmsgcat-perl <none> (no description available)
pn libnet-ldap-perl <none> (no description available)
pn libtemplate-perl <none> (no description available)
ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li
pn mhonarc <none> (no description available)
ii perl [libmime-base64-perl] 5.10.0-13 Larry Wall's Practical Extraction
pn perl-suid <none> (no description available)
ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon
Versions of packages sympa recommends:
ii doc-base 0.8.16 utilities to manage online documen
ii logrotate 3.7.1-3 Log rotation utility
Versions of packages sympa suggests:
ii apache2-mpm-prefork [httpd] 2.2.9-7 Apache HTTP Server - traditional n
pn libapache-mod-fastcgi <none> (no description available)
pn mysql-server | postgresql <none> (no description available)
ii openssl 0.9.8g-13 Secure Socket Layer (SSL) binary a
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Version: 5.4.7-1
Regression: The packaging releases 5.3.4-6 and 5.3.4-6.1 unfortunately
was not taken into account during the massive(!) repackaging leading to
5.4.6-1.
Upstream fixed this problem in release 5.4.4 (or earlier).
Kind regards,
- Jonas
- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCgAGBQJKedA/AAoJECx8MUbBoAEhV8EP/08i8Sv9tFxGwcNQ5eEPLHJh
mNXcsW3L8u68pEULZgDmM//80qDaOQL78EB3vfgpRgkW8rs/g3V8n/IJrMj5fkvG
b37mhka+R5QvsHnV51INMhzC5CZzGmMs2NbGNTe0YCWnE4Ca5KGGZMTbBsVO0Dw8
m5qcNkF/W/+MVf7ATvuzKXZBGHY+tXyMM0F3Q0vq4OUPxkf+y/Hu+OydFsbkWnqv
86qlHtDDcxkoSAW4YgjUH8uB394d4B2ryxkfnhufFIL/4TDkWSrcHoNSo3QFx+Yg
gtbzTjz9kDL3qT9Wnlmg2X27cACdkxm7O+Stc6GMODPoEe9IgSsYTZ8CA4bDqrfY
6gqenj37szVfJSfH+mpKV7hjx+/S/LqqI+sclcZeciwFKaVeqwus5RJrEsErvpF/
GOKXhGcxte9nmKha4LZjezuwMa982FBjGtgQClynLWnpwMzn+UC54/MZ0Y/kQtwS
qzrbmkLl+m+JuGBzFW7qvX4mU6Tlh9CHTumeeH20TdJdOHFnYggElUtDXvIJGi0j
rlhIg2h2SYzc0ODzln54E3iEKnq9AICJCc9Fh5/THCTMoUk7nkMC7a61gGrJYyH9
0spK+F05hA3jmCt4VJkqHt0Dtd5OWzHzfsewC/bjQnmXc8i/soT2vZD2MLqhkZcP
ydyF/mxcknZNuvua36p5
=pK3w
-----END PGP SIGNATURE-----
--- End Message ---
