[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#775790: marked as done (unblock: sympa/6.1.23~dfsg-2)

Your message dated Thu, 22 Jan 2015 13:26:21 +0000
with message-id <20150122132621.GE29173@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#775790: unblock: sympa/6.1.23~dfsg-2
has caused the Debian Bug report #775790,
regarding unblock: sympa/6.1.23~dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
775790: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775790
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package sympa

It contains 2 fixes:

One for a RC bug about conffile handling:
https://bugs.debian.org/774877

Another one about a vulnerability discovered recently in the web
interface (wwsympa) which allows one to send himself by himself any
readable file by the sympa user on the filesystem.

debdiff is attached.

Thanks,

unblock sympa/6.1.23~dfsg-2

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -Nru sympa-6.1.23~dfsg/debian/changelog sympa-6.1.23~dfsg/debian/changelog
--- sympa-6.1.23~dfsg/debian/changelog	2014-09-17 20:48:59.000000000 +0200
+++ sympa-6.1.23~dfsg/debian/changelog	2015-01-16 02:48:24.000000000 +0100
@@ -1,3 +1,12 @@
+sympa (6.1.23~dfsg-2) unstable; urgency=medium
+
+  * Fix a bug in /etc/sympa/facility conffile handling (Closes: #774877)
+  * Add a patch to fix a vulnerability in the web interface (wwsympa)
+    which allows one to send himself by email any readable file by the
+    sympa user on the filesystem.
+
+ -- Emmanuel Bouthenot <kolter@debian.org>  Fri, 16 Jan 2015 02:48:12 +0100
+
 sympa (6.1.23~dfsg-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability
--- sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability	1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.1.23~dfsg/debian/patches/0001_fix_web_interface_vulnerability	2015-01-16 02:41:27.000000000 +0100
@@ -0,0 +1,29 @@
+Description: Fix a vulnerability in the web interface (wwsympa)
+ which allows one to send himself by email any readable file by the
+ sympa user on the filesystem
+Author: David Verdin <david.verdin@renater.fr>
+Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch
+Applied-Upstream: 6.1.24
+Last-Update: 2015-01-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/wwsympa/wwsympa.fcgi.in
++++ b/wwsympa/wwsympa.fcgi.in
+@@ -15758,9 +15758,14 @@
+ 	 $pages_url = $in{'url'};
+ 	 
+ 	 # parse return the MIME::Lite part to send 
+-	 my $MIMEmail = $mailHTML->parse($pages_url); 
+-
+-	 $in{'body'} = $MIMEmail->as_string;
++         $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']);
++         my $MIMEmail = eval { $mailHTML->parse($pages_url) };
++         if ($MIMEmail) {
++             $in{'body'} = $MIMEmail->as_string;
++         } else {
++             report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'});
++             return undef;
++         }
+ 	 
+      }else{
+ 	 
diff -Nru sympa-6.1.23~dfsg/debian/patches/series sympa-6.1.23~dfsg/debian/patches/series
--- sympa-6.1.23~dfsg/debian/patches/series	2014-03-22 09:04:27.000000000 +0100
+++ sympa-6.1.23~dfsg/debian/patches/series	2015-01-16 02:32:49.000000000 +0100
@@ -1,3 +1,4 @@
+0001_fix_web_interface_vulnerability
 1002_mysql_default_charset_engine.patch
 1004_wizard_support_batch_and_display_mode.patch
 1005_wizard_emit_cmd_and_newline_when_dying.patch
diff -Nru sympa-6.1.23~dfsg/debian/sympa.preinst sympa-6.1.23~dfsg/debian/sympa.preinst
--- sympa-6.1.23~dfsg/debian/sympa.preinst	2013-10-03 13:46:30.000000000 +0200
+++ sympa-6.1.23~dfsg/debian/sympa.preinst	2015-01-16 02:09:47.000000000 +0100
@@ -36,6 +36,16 @@
 	done
 fi
 
+
+case "$1" in
+  install|upgrade)
+    if dpkg --compare-versions "$2" "<" "6.1.22~dfsg-1"; then
+        # delete sympa facility before managing it as a conffile (#774877)
+        rm -f /etc/sympa/facility
+    fi
+  ;;
+esac
+
 #DEBHELPER#
 
 exit 0

--- End Message ---
--- Begin Message --- 
On Mon, Jan 19, 2015 at 11:11:43PM +0100, Emmanuel Bouthenot wrote:
> Please unblock package sympa
> 
> unblock sympa/6.1.23~dfsg-2

Already unblocked by me on 16th January, reached testing yesterday. Please
use grep-excuses or look at the PTS first.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: