Re: sympa / CVE-2015-1306
On Tue, Feb 03, 2015 at 12:27:36PM +0100, Thorsten Alteholz wrote:
[...]
> in the past consistent naming of patches made things much easier. So
> shouldn't that patch be 0002_fix_web_interface_vulnerability.patch
> instead of 2007_fix_CVE-2015-1306.patch?
In the debdiff attached the patch is named 2007_fix_web_interface_vulnerability.patch.
The list of patches for sympa 6.0.x is very different than the list of
patches for sympa 6.1.x so it was not possible to name it
0002_fix_web_interface_vulnerability.patch without updating other
patches.
For the name itself, I changed it from fix_web_interface_vulnerability
to fix_CVE-2015-1306 because the CVE number was published after the
upload of the fix in sid/jessie/wheezy-security and I thought that it
was more explicit to add the CVE number in the name.
Regards,
M.
--
Emmanuel Bouthenot
mail: kolter@{openics,debian}.org gpg: 4096R/0x929D42C3
xmpp: kolter@im.openics.org irc: kolter@{freenode,oftc}
diff -Nru sympa-6.0.1+dfsg/debian/changelog sympa-6.0.1+dfsg/debian/changelog
--- sympa-6.0.1+dfsg/debian/changelog 2015-02-02 23:14:11.000000000 +0000
+++ sympa-6.0.1+dfsg/debian/changelog 2015-02-03 15:18:36.000000000 +0000
@@ -1,3 +1,11 @@
+sympa (6.0.1+dfsg-4+squeeze3) squeeze-lts; urgency=low
+
+ * Add a patch to fix a vulnerability (CVE-2015-1306) in the web interface
+ (wwsympa) which allows one to send himself by email any readable file by
+ the sympa user on the filesystem.
+
+ -- Emmanuel Bouthenot <kolter@debian.org> Mon, 02 Feb 2015 23:11:16 +0000
+
sympa (6.0.1+dfsg-4+squeeze2) oldstable-proposed-updates; urgency=low
* Fix endless loop in wwsympa while loading session data including
diff -Nru sympa-6.0.1+dfsg/debian/patches/2007_fix_web_interface_vulnerability.patch sympa-6.0.1+dfsg/debian/patches/2007_fix_web_interface_vulnerability.patch
--- sympa-6.0.1+dfsg/debian/patches/2007_fix_web_interface_vulnerability.patch 1970-01-01 00:00:00.000000000 +0000
+++ sympa-6.0.1+dfsg/debian/patches/2007_fix_web_interface_vulnerability.patch 2015-02-03 15:26:32.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix a vulnerability (CVE-2015-1306) in the
+ web interface (wwsympa) which allows one to send himself
+ by email any readable file by the sympa user on the
+ filesystem
+Author: David Verdin <david.verdin@renater.fr>
+Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch
+Applied-Upstream: 6.1.24
+Last-Update: 2015-01-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/wwsympa/wwsympa.fcgi.in
++++ b/wwsympa/wwsympa.fcgi.in
+@@ -15146,9 +15146,14 @@
+ $pages_url = $in{'url'};
+
+ # parse return the MIME::Lite part to send
+- my $MIMEmail = $mailHTML->parse($pages_url);
+-
+- $in{'body'} = $MIMEmail->as_string;
++ $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']);
++ my $MIMEmail = eval { $mailHTML->parse($pages_url) };
++ if ($MIMEmail) {
++ $in{'body'} = $MIMEmail->as_string;
++ } else {
++ report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'});
++ return undef;
++ }
+
+ } else {
+
diff -Nru sympa-6.0.1+dfsg/debian/patches/series sympa-6.0.1+dfsg/debian/patches/series
--- sympa-6.0.1+dfsg/debian/patches/series 2015-02-02 23:14:11.000000000 +0000
+++ sympa-6.0.1+dfsg/debian/patches/series 2015-02-03 15:27:55.000000000 +0000
@@ -14,3 +14,4 @@
1010_sqlite_upgrade.patch
2005_disable_build_non_dfsg_po_files.patch
2006_fix_CVE-2012-2352.patch
+2007_fix_web_interface_vulnerability.patch
Reply to: