Bug#972189: sympa: CVE-2020-10936 regression - removal of needed environment variables
Package: sympa
Version: 6.2.16~dfsg-3+deb9u3
Severity: important
Dear Maintainer(s),
since applying the security update from 6.2.16~dfsg-3+deb9u2 to
6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling,
i.e. the web server reports
2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr:
"Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se
ssion.pm line 406.
Use of uninitialized value $remote_addr in string ne at
/usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream,
client: 192.16
8.100.2, server: lists.welcomes-you.com, request: "POST /sympa
HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host:
"FQDN", referrer: "https://FQDN/sympa"
My configuration may be a bit "nasty" and may contribute here:
The external https access to sympa is TLS terminated by nginx acting as
a reverse proxy which then sends the requests via a virtual bridge to
the container where sympa is running.
After comparing the changes between u2 and u3 I fear this change here
char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
[..]
- return execve(WWSYMPA,argv,envp);
+ return execve(WWSYMPA, argv, myenvp);
to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'}
not to be set and thus session handling will not work anymore.
Cheers
Carsten
-- System Information:
Debian Release: 9.13
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sympa depends on:
ii adduser 3.115
ii ca-certificates 20200601~deb9u1
ii dbconfig-common 2.0.8
ii debconf [debconf-2.0] 1.5.61
ii fonts-font-awesome 4.7.0~dfsg-1
ii init-system-helpers 1.48
ii libarchive-zip-perl 1.59-1+deb9u1
ii libc6 2.24-11+deb9u4
ii libcgi-fast-perl 1:2.12-1
ii libcgi-pm-perl 4.35-1
ii libclass-singleton-perl 1.5-1
ii libcrypt-openssl-x509-perl 1.8.7-3
ii libcrypt-smime-perl 0.19-2
ii libdatetime-format-mail-perl 0.4030-1
ii libdbd-csv-perl 0.4900-1
ii libdbd-mysql-perl 4.041-2
ii libdbd-pg-perl 3.5.3-1+b2
ii libdbd-sqlite3-perl 1.54-1
ii libdbi-perl 1.636-1+deb9u1
ii libfcgi-perl 0.78-2
ii libfile-copy-recursive-perl 0.38-1
ii libfile-nfslock-perl 1.27-1
ii libhtml-format-perl 2.12-1
ii libhtml-stripscripts-parser-perl 1.03-1
ii libhtml-tree-perl 5.03-2
ii libintl-perl 1.26-2
ii libio-stringy-perl 2.111-2
ii libjs-jquery 3.1.1-2+deb9u1
ii libjs-jquery-migrate-1 1.4.1-1
ii libjs-jquery-placeholder 2.3.1-2
ii libjs-jquery-ui 1.12.1+dfsg-4
ii libjs-modernizr 2.6.2+ds1-1
ii libjs-twitter-bootstrap 2.0.2+dfsg-10
ii libmail-dkim-perl 0.40-1
ii libmailtools-perl 2.18-1
ii libmime-charset-perl 1.012-2
ii libmime-encwords-perl 1.014.3-2
ii libmime-lite-html-perl 1.24-2
ii libmime-tools-perl 5.508-1
ii libmsgcat-perl 1.03-6+b3
ii libnet-cidr-perl 0.18-1
ii libnet-dns-perl 1.07-1
ii libnet-ldap-perl 1:0.6500+dfsg-1
ii libnet-netmask-perl 1.9022-1
ii libregexp-common-perl 2016060801-1
ii libsoap-lite-perl 1.20-1
ii libtemplate-perl 2.24-1.2+b3
ii libterm-progressbar-perl 2.18-1
ii libunicode-linebreak-perl 0.0.20160702-1+b1
ii libxml-libxml-perl 2.0128+dfsg-1+deb9u1
ii lsb-base 9.20161125
ii mhonarc 2.6.19-2
ii perl 5.24.1-3+deb9u7
ii postfix [mail-transport-agent] 3.1.15-0+deb9u1
ii rsyslog [system-log-daemon] 8.24.0-1
ii sqlite3 3.16.2-5+deb9u2
Versions of packages sympa recommends:
pn apache2-suexec <none>
pn default-mysql-server | postgresql <none>
pn doc-base <none>
pn libapache2-mod-fcgid <none>
pn libcrypt-ciphersaber-perl <none>
ii libio-socket-ssl-perl 2.044-1
ii locales 2.24-11+deb9u4
ii logrotate 3.11.0-0.1
Versions of packages sympa suggests:
pn libauthcas-perl <none>
pn libdbd-odbc-perl <none>
pn libdbd-oracle-perl <none>
ii nginx-light [httpd-cgi] 1.10.3-1+deb9u5
-- debconf information excluded
Reply to: