Bug#775790: unblock: sympa/6.1.23~dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package sympa
It contains 2 fixes:
One for a RC bug about conffile handling:
https://bugs.debian.org/774877
Another one about a vulnerability discovered recently in the web
interface (wwsympa) which allows one to send himself by himself any
readable file by the sympa user on the filesystem.
debdiff is attached.
Thanks,
unblock sympa/6.1.23~dfsg-2
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru sympa-6.1.23~dfsg/debian/changelog sympa-6.1.23~dfsg/debian/changelog
--- sympa-6.1.23~dfsg/debian/changelog 2014-09-17 20:48:59.000000000 +0200
+++ sympa-6.1.23~dfsg/debian/changelog 2015-01-16 02:48:24.000000000 +0100
@@ -1,3 +1,12 @@
+sympa (6.1.23~dfsg-2) unstable; urgency=medium
+
+ * Fix a bug in /etc/sympa/facility conffile handling (Closes: #774877)
+ * Add a patch to fix a vulnerability in the web interface (wwsympa)
+ which allows one to send himself by email any readable file by the
+ sympa user on the filesystem.
+
+ -- Emmanuel Bouthenot <kolter@debian.org> Fri, 16 Jan 2015 02:48:12 +0100
+
sympa (6.1.23~dfsg-1) unstable; urgency=medium
* New upstream release
diff -Nru sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability
--- sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability 1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability 2015-01-16 02:41:27.000000000 +0100
@@ -0,0 +1,29 @@
+Description: Fix a vulnerability in the web interface (wwsympa)
+ which allows one to send himself by email any readable file by the
+ sympa user on the filesystem
+Author: David Verdin <david.verdin@renater.fr>
+Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch
+Applied-Upstream: 6.1.24
+Last-Update: 2015-01-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/wwsympa/wwsympa.fcgi.in
++++ b/wwsympa/wwsympa.fcgi.in
+@@ -15758,9 +15758,14 @@
+ $pages_url = $in{'url'};
+
+ # parse return the MIME::Lite part to send
+- my $MIMEmail = $mailHTML->parse($pages_url);
+-
+- $in{'body'} = $MIMEmail->as_string;
++ $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']);
++ my $MIMEmail = eval { $mailHTML->parse($pages_url) };
++ if ($MIMEmail) {
++ $in{'body'} = $MIMEmail->as_string;
++ } else {
++ report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'});
++ return undef;
++ }
+
+ }else{
+
diff -Nru sympa-6.1.23~dfsg/debian/patches/series sympa-6.1.23~dfsg/debian/patches/series
--- sympa-6.1.23~dfsg/debian/patches/series 2014-03-22 09:04:27.000000000 +0100
+++ sympa-6.1.23~dfsg/debian/patches/series 2015-01-16 02:32:49.000000000 +0100
@@ -1,3 +1,4 @@
+0001_fix_web_interface_vulnerability
1002_mysql_default_charset_engine.patch
1004_wizard_support_batch_and_display_mode.patch
1005_wizard_emit_cmd_and_newline_when_dying.patch
diff -Nru sympa-6.1.23~dfsg/debian/sympa.preinst sympa-6.1.23~dfsg/debian/sympa.preinst
--- sympa-6.1.23~dfsg/debian/sympa.preinst 2013-10-03 13:46:30.000000000 +0200
+++ sympa-6.1.23~dfsg/debian/sympa.preinst 2015-01-16 02:09:47.000000000 +0100
@@ -36,6 +36,16 @@
done
fi
+
+case "$1" in
+ install|upgrade)
+ if dpkg --compare-versions "$2" "<" "6.1.22~dfsg-1"; then
+ # delete sympa facility before managing it as a conffile (#774877)
+ rm -f /etc/sympa/facility
+ fi
+ ;;
+esac
+
#DEBHELPER#
exit 0
Reply to: