Debian Bug report logs -
#961491
CVE-2020-10936: Security flaws in setuid wrappers
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Sympa team <sympa@packages.debian.org>:
Bug#961491; Package sympa.
(Mon, 25 May 2020 07:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Stefan Hornburg (Racke)" <racke@linuxia.de>:
New Bug report received and forwarded. Copy sent to Debian Sympa team <sympa@packages.debian.org>.
(Mon, 25 May 2020 07:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package: sympa
severity: critical
tags: upstream security patch
Security advisory: https://sympa-community.github.io/security/2020-002.html
Excerpt:
--snip--
A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root
privileges.
Sympa uses two sorts of setuid wrappers:
FastCGI wrappers
newaliases wrapper
The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) were used to make the web interface
running under privileges of a dedicated user.
The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges.
Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed users.
--snap--
Affects all versions of Sympa. Patch is attached.
The following change should also be considered to switch off installation as setuid, which is not needed in most cases:
https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f
See also https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 which claims that the patch
is incomplete.
CVE is not yet published.
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
[sympa-6.2.54-sa-2020-002-r2.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions sympa/6.2.40~dfsg-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 25 May 2020 10:18:03 GMT) (full text, mbox, link).
Marked as found in versions sympa/6.2.40~dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 25 May 2020 10:18:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon May 25 13:39:02 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon