sympa / CVE-2015-1306
Hi,
Attached is the debdiff to fix CVE-2015-1306 in sympa.
(I've also claimed the issue in dla-needed.txt[1])
Fix package is already built and tested. I'm ready to upload if there
are no objections.
[1] https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?r1=31868&r2=31919
Regards,
M.
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3
xmpp: kolter@im.openics.org irc: kolter@{freenode,oftc}
diff -Nru sympa-6.0.1+dfsg/debian/changelog sympa-6.0.1+dfsg/debian/changelog
--- sympa-6.0.1+dfsg/debian/changelog 2015-02-02 23:14:11.000000000 +0000
+++ sympa-6.0.1+dfsg/debian/changelog 2015-02-02 23:11:20.000000000 +0000
@@ -1,3 +1,11 @@
+sympa (6.0.1+dfsg-4+squeeze3) squeeze-lts; urgency=low
+
+ * Add a patch to fix a vulnerability (CVE-2015-1306) in the web interface
+ (wwsympa) which allows one to send himself by email any readable file by
+ the sympa user on the filesystem.
+
+ -- Emmanuel Bouthenot <kolter@debian.org> Mon, 02 Feb 2015 23:11:16 +0000
+
sympa (6.0.1+dfsg-4+squeeze2) oldstable-proposed-updates; urgency=low
* Fix endless loop in wwsympa while loading session data including
diff -Nru sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch
--- sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch 1970-01-01 00:00:00.000000000 +0000
+++ sympa-6.0.1+dfsg/debian/patches/2007_fix_CVE-2015-1306.patch 2015-02-02 23:10:14.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix a vulnerability (CVE-2015-1306) in the
+ web interface (wwsympa) which allows one to send himself
+ by email any readable file by the sympa user on the
+ filesystem
+Author: David Verdin <david.verdin@renater.fr>
+Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch
+Applied-Upstream: 6.1.24
+Last-Update: 2015-01-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/wwsympa/wwsympa.fcgi.in
++++ b/wwsympa/wwsympa.fcgi.in
+@@ -15150,9 +15150,14 @@
+ $pages_url = $in{'url'};
+
+ # parse return the MIME::Lite part to send
+- my $MIMEmail = $mailHTML->parse($pages_url);
+-
+- $in{'body'} = $MIMEmail->as_string;
++ $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']);
++ my $MIMEmail = eval { $mailHTML->parse($pages_url) };
++ if ($MIMEmail) {
++ $in{'body'} = $MIMEmail->as_string;
++ } else {
++ report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'});
++ return undef;
++ }
+
+ } else {
+
diff -Nru sympa-6.0.1+dfsg/debian/patches/series sympa-6.0.1+dfsg/debian/patches/series
--- sympa-6.0.1+dfsg/debian/patches/series 2015-02-02 23:14:11.000000000 +0000
+++ sympa-6.0.1+dfsg/debian/patches/series 2015-02-02 23:10:14.000000000 +0000
@@ -14,3 +14,4 @@
1010_sqlite_upgrade.patch
2005_disable_build_non_dfsg_po_files.patch
2006_fix_CVE-2012-2352.patch
+2007_fix_CVE-2015-1306.patch
Reply to: