On 07/12/2020 12:06, Stefan Hornburg (Racke) wrote:
On 12/7/20 10:52 AM, Sylvain Beucler wrote:
This high-severity issue was marked with:
[buster] - sympa <no-dsa> (Will be fixed via point release)
Consequently I am surprised that it wasn't part of last week's Debian 10.7
point release.
What happened?
Can we consider switching to a DSA?
Yes, sorry I missed that point release. If you want a DSA, that's fine for me.
Status update: the update is ready and a debdiff was sent for approval
to the security team 2 days ago.
Cheers!
Sylvain
diff -Nru sympa-6.2.40~dfsg/debian/changelog sympa-6.2.40~dfsg/debian/changelog
--- sympa-6.2.40~dfsg/debian/changelog 2019-01-20 16:57:14.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/changelog 2020-12-10 14:39:54.000000000 +0100
@@ -1,3 +1,21 @@
+sympa (6.2.40~dfsg-1+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2020-10936: Sympa allows privilege escalation through setuid
+ wrappers. (Closes: #961491)
+ * CVE-2020-26932: restrict access to sympa_newaliases-wrapper (setuid
+ root) to group sympa. (Closes: #971904)
+ * Ask the user whether they want/need sympa_newaliases-wrapper to
+ be setuid root (CVE-2020-26880 mitigation).
+ * CVE-2020-9369: prevents creation of temporary files and email
+ notifications to listmasters when encountering malformed input
+ parameters. (Closes: #952428)
+ * CVE-2020-29668: Sympa allows remote attackers to obtain full SOAP API
+ access by sending any arbitrary string (except one from an expired
+ cookie) as the cookie value to authenticateAndRun. (Closes: #976020).
+
+ -- Sylvain Beucler <b...@debian.org> Thu, 10 Dec 2020 14:39:54 +0100
+
sympa (6.2.40~dfsg-1) unstable; urgency=medium
* New upstream release.
diff -Nru sympa-6.2.40~dfsg/debian/config sympa-6.2.40~dfsg/debian/config
--- sympa-6.2.40~dfsg/debian/config 2018-12-22 19:47:42.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/config 2020-12-08 18:37:40.000000000 +0100
@@ -124,6 +124,10 @@
db_go
fi
+# Ask for sympa_newaliases-wrapper to be setuid root
+db_input high sympa/sympa_newaliases-wrapper-setuid-root || [ $? -eq 30 ]
+db_go
+
# Ask for spool directories removal
db_input medium wwsympa/remove_spool || [ $? -eq 30 ]
db_go
diff -Nru sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch
--- sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch 1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch 2020-12-08 19:03:59.000000000 +0100
@@ -0,0 +1,94 @@
+Origin: https://github.com/sympa-community/sympa/commit/3f8449c647e5ab32cf6f8837cb600c1756b6189c
+Last-Update: 2020-12-08
+Reviewed-by: Sylvain Beucler <b...@debian.org>
+
+From 3f8449c647e5ab32cf6f8837cb600c1756b6189c Mon Sep 17 00:00:00 2001
+From: IKEDA Soji <ik...@conversion.co.jp>
+Date: Fri, 27 Mar 2020 21:28:18 +0900
+Subject: [PATCH] Sympa SA 2020-002 (candidate): Setuid wrappers should clear
+ environment variables to avoid exploits.
+
+---
+ src/cgi/sympa_soap_server-wrapper.fcgi.c | 7 ++++++-
+ src/cgi/wwsympa-wrapper.fcgi.c | 7 ++++++-
+ src/libexec/sympa_newaliases-wrapper.c | 7 ++++++-
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
+index f4c6a6645..435d40c6b 100644
+--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
++++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c
+@@ -6,6 +6,9 @@
+ Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+ 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+ Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++ Copyright 2020 The Sympa Community. See the AUTHORS.md
++ file at the top-level directory of this distribution and at
++ <https://github.com/sympa-community/sympa.git>.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -24,8 +27,10 @@
+ #include <unistd.h>
+
+ int main(int argn, char **argv, char **envp) {
++ char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
++
+ setreuid(geteuid(),geteuid());
+ setregid(getegid(),getegid());
+ argv[0] = SYMPASOAP;
+- return execve(SYMPASOAP,argv,envp);
++ return execve(SYMPASOAP, argv, myenvp);
+ }
+diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
+index c66c7f82b..34198ecf9 100644
+--- a/src/cgi/wwsympa-wrapper.fcgi.c
++++ b/src/cgi/wwsympa-wrapper.fcgi.c
+@@ -6,6 +6,9 @@
+ Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+ 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+ Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++ Copyright 2020 The Sympa Community. See the AUTHORS.md
++ file at the top-level directory of this distribution and at
++ <https://github.com/sympa-community/sympa.git>.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -24,8 +27,10 @@
+ #include <unistd.h>
+
+ int main(int argn, char **argv, char **envp) {
++ char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
++
+ setreuid(geteuid(),geteuid()); // Added to fix the segfault
+ setregid(getegid(),getegid()); // Added to fix the segfault
+ argv[0] = WWSYMPA;
+- return execve(WWSYMPA,argv,envp);
++ return execve(WWSYMPA, argv, myenvp);
+ }
+diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c
+index a39921871..a1e5935c3 100644
+--- a/src/libexec/sympa_newaliases-wrapper.c
++++ b/src/libexec/sympa_newaliases-wrapper.c
+@@ -6,6 +6,9 @@
+ Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+ 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+ Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++ Copyright 2020 The Sympa Community. See the AUTHORS.md
++ file at the top-level directory of this distribution and at
++ <https://github.com/sympa-community/sympa.git>.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -24,8 +27,10 @@
+ #include <unistd.h>
+
+ int main(int argn, char **argv, char **envp) {
++ char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
++
+ setreuid(geteuid(),geteuid());
+ setregid(getegid(),getegid());
+ argv[0] = SYMPA_NEWALIASES;
+- return execve(SYMPA_NEWALIASES, argv, envp);
++ return execve(SYMPA_NEWALIASES, argv, myenvp);
+ }
diff -Nru sympa-6.2.40~dfsg/debian/patches/CVE-2020-29668.patch sympa-6.2.40~dfsg/debian/patches/CVE-2020-29668.patch
--- sympa-6.2.40~dfsg/debian/patches/CVE-2020-29668.patch 1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/patches/CVE-2020-29668.patch 2020-12-10 14:39:54.000000000 +0100
@@ -0,0 +1,39 @@
+Origin: https://github.com/sympa-community/sympa/commit/4dacc825d8e79dd9b35e9942669af8ee1de2331a
+Last-Update: 2020-12-09
+Reviewed-by: Sylvain Beucler <b...@debian.org>
+
+commit 52157b54583e2052cfc1625a7311f80c94f3aed9
+Author: Stefan Hornburg (Racke) <ra...@linuxia.de>
+Date: Fri Nov 27 23:28:14 2020 +0100
+
+ Properly check email and session id in authenticateAndRun SOAP call (#1041).
+
+Index: sympa-6.2.40~dfsg/src/lib/Sympa/WWW/SOAP.pm
+===================================================================
+--- sympa-6.2.40~dfsg.orig/src/lib/Sympa/WWW/SOAP.pm
++++ sympa-6.2.40~dfsg/src/lib/Sympa/WWW/SOAP.pm
+@@ -331,19 +331,16 @@ sub authenticateAndRun {
+ ## session_table instead
+ my $session =
+ Sympa::WWW::Session->new($ENV{'SYMPA_ROBOT'}, {'cookie' => $cookie});
+- if (defined $session) {
+- $email = $session->{'email'};
+- $session_id = $session->{'id_session'};
+- }
+- unless ($email or $email eq 'unknown') {
+- $log->syslog('err', 'Failed to authenticate user with session ID %s',
+- $session_id);
++
++ unless (defined $session && ! $session->{'new_session'} && $session->{'email'} eq $email) {
++ $log->syslog('err', 'Failed to authenticate user %s with session ID %s',
++ $email, $cookie);
+ die SOAP::Fault->faultcode('Client')
+ ->faultstring('Could not get email from cookie')->faultdetail('');
+ }
+
+ $ENV{'USER_EMAIL'} = $email;
+- $ENV{'SESSION_ID'} = $session_id;
++ $ENV{'SESSION_ID'} = $session->{'id_session'};
+
+ no strict 'refs';
+ $service->($self, @$parameters);
diff -Nru sympa-6.2.40~dfsg/debian/patches/CVE-2020-9369.patch sympa-6.2.40~dfsg/debian/patches/CVE-2020-9369.patch
--- sympa-6.2.40~dfsg/debian/patches/CVE-2020-9369.patch 1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/patches/CVE-2020-9369.patch 2020-12-08 19:05:54.000000000 +0100
@@ -0,0 +1,73 @@
+Origin: https://github.com/sympa-community/sympa/commit/9b86fb3f0337d70221d63392db7d1a52b439dc8f
+Last-Update: 2020-12-08
+Reviewed-by: Sylvain Beucler <b...@debian.org>
+
+From 9b86fb3f0337d70221d63392db7d1a52b439dc8f Mon Sep 17 00:00:00 2001
+From: IKEDA Soji <ik...@conversion.co.jp>
+Date: Tue, 11 Feb 2020 17:52:22 +0900
+Subject: [PATCH] Sympa SA 2020-001 (candidate). Denial of service caused by
+ malformed CSRF token.
+
+---
+ src/cgi/wwsympa.fcgi.in | 25 +++----------------------
+ 1 file changed, 3 insertions(+), 22 deletions(-)
+
+Index: sympa-6.2.40~dfsg/src/cgi/wwsympa.fcgi.in
+===================================================================
+--- sympa-6.2.40~dfsg.orig/src/cgi/wwsympa.fcgi.in
++++ sympa-6.2.40~dfsg/src/cgi/wwsympa.fcgi.in
+@@ -995,9 +995,6 @@ our %in_regexp = (
+
+ # Role
+ 'role' => 'member|editor|owner',
+-
+- ## CSRF token is a lower case MD5 hash
+- 'csrftoken' => '^[0-9a-f]{32}$',
+ );
+
+ ## Regexp applied on incoming parameters (%in)
+@@ -1267,8 +1264,6 @@ while ($query = CGI::Fast->new) {
+ # affected to another anonymous session.
+ undef $ENV{'HTTP_COOKIE'};
+ unless (defined $session) {
+- Sympa::send_notify_to_listmaster($robot,
+- 'failed_to_create_web_session', {});
+ wwslog('info', 'Failed to create session');
+ $session = Sympa::WWW::Session->new($robot, {});
+ }
+@@ -2190,32 +2185,18 @@ sub get_parameters {
+ if ($one_p !~ /^$regexp$/s
+ || (defined $negative_regexp && $one_p =~ /$negative_regexp/s)
+ ) {
+- ## Dump parameters in a tmp file for later analysis
+- my $dump_file =
+- Conf::get_robot_conf($robot, 'tmpdir')
+- . '/sympa_dump.'
+- . time . '.'
+- . $PID;
+- unless (open DUMP, ">$dump_file") {
+- wwslog('err', 'Failed to create %s: %s',
+- $dump_file, $ERRNO);
+- }
+- Sympa::Tools::Data::dump_var(\%in, 0, \*DUMP);
+- close DUMP;
+-
+ Sympa::WWW::Report::reject_report_web('user', 'syntax_errors',
+ {p_name => $p},
+ '', '');
+ wwslog(
+ 'err',
+- 'Syntax error for parameter %s value "%s" not conform to regexp:%s; dumped vars in %s',
++ 'Syntax error for parameter %s value "%s" not conform to regexp:%s',
+ $pname,
+ $one_p,
+- $regexp,
+- $dump_file
++ $regexp
+ );
+ $in{$p} = '';
+- next;
++ last;
+ }
+ }
+ }
diff -Nru sympa-6.2.40~dfsg/debian/patches/series sympa-6.2.40~dfsg/debian/patches/series
--- sympa-6.2.40~dfsg/debian/patches/series 2018-12-22 12:08:17.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/patches/series 2020-12-10 14:39:54.000000000 +0100
@@ -1 +1,4 @@
2003_sympa_wizard_mhonarc.patch
+CVE-2020-10936.patch
+CVE-2020-9369.patch
+CVE-2020-29668.patch
diff -Nru sympa-6.2.40~dfsg/debian/sympa.postinst sympa-6.2.40~dfsg/debian/sympa.postinst
--- sympa-6.2.40~dfsg/debian/sympa.postinst 2018-12-22 12:08:17.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/sympa.postinst 2020-12-08 18:37:40.000000000 +0100
@@ -232,7 +232,14 @@
/usr/lib/cgi-bin/sympa/sympa_soap_server-wrapper.fcgi
# Fix permissions on newaliases wrapper
-chmod u+s /usr/lib/sympa/bin/sympa_newaliases-wrapper
+# cf. src/libexec/Makefile.am
+chown root /usr/lib/sympa/bin/sympa_newaliases-wrapper
+chgrp sympa /usr/lib/sympa/bin/sympa_newaliases-wrapper
+chmod 750 /usr/lib/sympa/bin/sympa_newaliases-wrapper
+db_get sympa/sympa_newaliases-wrapper-setuid-root
+if [ "$RET" = "true" ]; then
+ chmod u+s /usr/lib/sympa/bin/sympa_newaliases-wrapper
+fi
# Starting from version 6.2.26, automatically generated CSS directory and
# subscribers pictures directory can be separated from static_content to be
diff -Nru sympa-6.2.40~dfsg/debian/templates sympa-6.2.40~dfsg/debian/templates
--- sympa-6.2.40~dfsg/debian/templates 2018-12-22 12:08:17.000000000 +0100
+++ sympa-6.2.40~dfsg/debian/templates 2020-12-08 18:37:40.000000000 +0100
@@ -75,3 +75,17 @@
.
Please choose whether you want to remove the web archives and the bounce
directory.
+
+Template: sympa/sympa_newaliases-wrapper-setuid-root
+Type: boolean
+Default: false
+_Description: Should sympa_newaliases-wrapper be setuid root?
+ Program 'sympa_newaliases-wrapper' is run with root privileges to
+ allow sympa to update email aliases when creating or deleting lists,
+ but this can lead to security issues (see CVE-2020-26880).
+ .
+ In most email environments (exim, postfix) sympa doesn't need root
+ privileges (see also the 'aliases_program' parameter in sympa.conf).
+ .
+ Please choose whether you want to install this program with the
+ setuid bit set (u+s).
