Bug#961491: marked as done (CVE-2020-10936: Security flaws in setuid wrappers)

Mon, 28 Dec 2020 05:57:21 -0800 

Your message dated Mon, 28 Dec 2020 13:53:39 +0000
with message-id <e1ktsxv-000apl...@fasolo.debian.org>
and subject line Bug#961491: fixed in sympa 6.2.40~dfsg-1+deb10u1
has caused the Debian Bug report #961491,
regarding CVE-2020-10936: Security flaws in setuid wrappers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
961491: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961491
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
package: sympa
severity: critical
tags: upstream security patch

Security advisory: https://sympa-community.github.io/security/2020-002.html

Excerpt:

--snip--
A vulnerability has been discovered in Sympa web interface by which attacker 
can execute arbitrary code with root
privileges.

Sympa uses two sorts of setuid wrappers:

    FastCGI wrappers
    newaliases wrapper

The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) 
were used to make the web interface
running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the 
alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment 
variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed users.
--snap--

Affects all versions of Sympa. Patch is attached.

The following change should also be considered to switch off installation as 
setuid, which is not needed in most cases:
https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f

See also 
https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 
which claims that the patch
is incomplete.

CVE is not yet published.

Regards
        Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

commit 3f8449c647e5ab32cf6f8837cb600c1756b6189c
Author: IKEDA Soji <ik...@conversion.co.jp>
Date:   Fri Mar 27 21:28:18 2020 +0900

    Sympa SA 2020-002 (candidate): Setuid wrappers should clear environment variables to avoid exploits.

diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
index f4c6a66..435d40c 100644
--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
+++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  <https://github.com/sympa-community/sympa.git>.
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include <unistd.h>
 
 int main(int argn, char **argv, char **envp) {
+    char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
     setreuid(geteuid(),geteuid());
     setregid(getegid(),getegid());
     argv[0] = SYMPASOAP;
-    return execve(SYMPASOAP,argv,envp);
+    return execve(SYMPASOAP, argv, myenvp);
 }
diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
index c66c7f8..34198ec 100644
--- a/src/cgi/wwsympa-wrapper.fcgi.c
+++ b/src/cgi/wwsympa-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  <https://github.com/sympa-community/sympa.git>.
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include <unistd.h>
 
 int main(int argn, char **argv, char **envp) {
+    char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
     setreuid(geteuid(),geteuid()); // Added to fix the segfault
     setregid(getegid(),getegid()); // Added to fix the segfault
     argv[0] = WWSYMPA;
-    return execve(WWSYMPA,argv,envp);
+    return execve(WWSYMPA, argv, myenvp);
 }
diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c
index a399218..a1e5935 100644
--- a/src/libexec/sympa_newaliases-wrapper.c
+++ b/src/libexec/sympa_newaliases-wrapper.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  <https://github.com/sympa-community/sympa.git>.
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include <unistd.h>
 
 int main(int argn, char **argv, char **envp) {
+    char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
     setreuid(geteuid(),geteuid());
     setregid(getegid(),getegid());
     argv[0] = SYMPA_NEWALIASES;
-    return execve(SYMPA_NEWALIASES, argv, envp);
+    return execve(SYMPA_NEWALIASES, argv, myenvp);
 }

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Source: sympa
Source-Version: 6.2.40~dfsg-1+deb10u1
Done: Sylvain Beucler <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvain Beucler <b...@debian.org> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 10 Dec 2020 14:39:54 +0100
Source: sympa
Architecture: source
Version: 6.2.40~dfsg-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Sympa team <sy...@packages.debian.org>
Changed-By: Sylvain Beucler <b...@debian.org>
Closes: 952428 961491 971904 976020
Changes:
 sympa (6.2.40~dfsg-1+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2020-10936: Sympa allows privilege escalation through setuid
     wrappers. (Closes: #961491)
   * CVE-2020-26932: restrict access to sympa_newaliases-wrapper (setuid
     root) to group sympa. (Closes: #971904)
   * Ask the user whether they want/need sympa_newaliases-wrapper to
     be setuid root (CVE-2020-26880 mitigation).
   * CVE-2020-9369: prevents creation of temporary files and email
     notifications to listmasters when encountering malformed input
     parameters. (Closes: #952428)
   * CVE-2020-29668: Sympa allows remote attackers to obtain full SOAP API
     access by sending any arbitrary string (except one from an expired
     cookie) as the cookie value to authenticateAndRun. (Closes: #976020).
Checksums-Sha1:
 3cb0e8fa0359a9e57e94dc199c001d3fc7cd527d 2193 sympa_6.2.40~dfsg-1+deb10u1.dsc
 bc9c607f16fb50f19646bcd2c65a8054039cfd97 4119788 sympa_6.2.40~dfsg.orig.tar.xz
 c13e355adcd88526899f37962e090bfb079fb4fd 167588 
sympa_6.2.40~dfsg-1+deb10u1.debian.tar.xz
 17958f265b040660333941ead7900e7af046ac66 10207 
sympa_6.2.40~dfsg-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
 21f8ba16ce0a2d96e86b7ba8a5aa1364006ae1013a481e5c83eeaf4e8b4643a3 2193 
sympa_6.2.40~dfsg-1+deb10u1.dsc
 52e4fe24577b25a9b125000f4ca227b0939e3bfb5b79346623a13b5a448eab63 4119788 
sympa_6.2.40~dfsg.orig.tar.xz
 f2eff6a42e37ae7c7bae729ade4c992aecd54911dc1bd6c960385c640b81c64e 167588 
sympa_6.2.40~dfsg-1+deb10u1.debian.tar.xz
 ffe5d92eeacf0c16b0872c11a2809ece1c13eae8f9c332076ca6fa6ebc75d9ef 10207 
sympa_6.2.40~dfsg-1+deb10u1_amd64.buildinfo
Files:
 bcb66853ee9279a87abfb443880107dc 2193 mail optional 
sympa_6.2.40~dfsg-1+deb10u1.dsc
 d0a0a7e066c68dd0af7299d312d4711d 4119788 mail optional 
sympa_6.2.40~dfsg.orig.tar.xz
 bee20ef3fd6458512464b09b45fd18b9 167588 mail optional 
sympa_6.2.40~dfsg-1+deb10u1.debian.tar.xz
 b26c85766d3c683d700f8d8367f20824 10207 mail optional 
sympa_6.2.40~dfsg-1+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl/b0AoACgkQj/HLbo2J
BZ/eOwf6AsPgD6j7d6udYk2ahUZo77TkkCNqGxi15ST+n3S9Sz1b9gtHTuXCvyxI
zDAGVQhEcwe7+9KnKd6S/LjmEDuDtXznqD8DM/xxp+D1HQAKR+Ox+r14nE3LFx57
KYDU7fh1Ws+ohf0hY+hbZ8FWu/lMrSdtmqhzOH/w75l7r1zAMQkQOnVsNpb6+WJ4
J5v9p29frl7Djky1xMnm/5/G+q3YAd9ECttNWsNycYR6ry8eMqsnvuTinxj1T9NI
4RsM/Nqkn/hJZsbYpdRjyWUJjS17U42Dw2X/9LlzkuKlo6IJDCCBleyIqalL6Ucf
s3aM4rLdXRQ+E7Hg55iu1nxMT1d8Tw==
=SNwU
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to