[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#904774: marked as done (stretch-pu: package sympa/6.2.16~dfsg-3+deb9u1)

Your message dated Wed, 5 Sep 2018 21:31:24 +0200
with message-id <20180905193124.GA16710@eldamar.local>
and subject line Re: Bug#904774: stretch-pu: package sympa/6.2.16~dfsg-3+deb9u1
has caused the Debian Bug report #904774,
regarding stretch-pu: package sympa/6.2.16~dfsg-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
904774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904774
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi stable release managers,

X-Debbugs-CC'ing Emmanuel Bouthenot.

Sympa in stable is affected by 863631, where on every update of sympa,
the values reinjectend to sympa config file were false doe to an issue
in the shell function used to prefill the debconf questions.

This was earlier fixed for buster, but updates within stretch will
still have the problem.

Now, there is a security update planned for CVE-2018-1000550 and for
the above reason I would include the cherry picked fix for the above,
but would like to get an official ack, given it's not for the security
fix.

Attached is the full debdiff as planned right now, only the
debian/config part of the diff would be relevant for #863631.

let me know please if you disagree with the approach.

Regards,
Salvatore

diff -Nru sympa-6.2.16~dfsg/debian/changelog sympa-6.2.16~dfsg/debian/changelog
--- sympa-6.2.16~dfsg/debian/changelog	2017-03-05 06:56:13.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/changelog	2018-07-27 19:48:38.000000000 +0200
@@ -1,3 +1,18 @@
+sympa (6.2.16~dfsg-3+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+
+  [ Salvatore Bonaccorso ]
+  * Directory traversal vulnerability (CVE-2018-1000550)
+
+  [ Emmanuel Bouthenot ]
+  * Fix shell function used to prefill debconf questions from Sympa
+    configuration file in debian/config. Values reinjected to Sympa config
+    file were false and led to serious configurations issues.
+    (Closes: #863631)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 27 Jul 2018 19:48:38 +0200
+
 sympa (6.2.16~dfsg-3) unstable; urgency=medium
 
   * Add dependency on libnet-dns-perl to perform DMARC verifications
diff -Nru sympa-6.2.16~dfsg/debian/config sympa-6.2.16~dfsg/debian/config
--- sympa-6.2.16~dfsg/debian/config	2016-11-25 10:34:20.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/config	2018-07-27 19:48:38.000000000 +0200
@@ -10,7 +10,7 @@
 sympa_conf_get() {
     key="${1}"
     if [ -e "${conf}" ]; then
-        sed -r -n 's/^\s*db_user\s+(.*)$/\1/p' "${conf}"
+        sed -r -n "s/^\s*${key}\s+(.*)\$/\1/p" "${conf}"
     fi
 }
 
diff -Nru sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch
--- sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch	1970-01-01 01:00:00.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/patches/1005_sympa-6.2.24-sa-2018-001.patch	2018-07-27 19:48:38.000000000 +0200
@@ -0,0 +1,92 @@
+commit deb5aabcd3f215ccf86fc61f36f44ec165b4fc4f
+Author: IKEDA Soji <ikeda@conversion.co.jp>
+Date:   Fri Apr 13 17:49:19 2018 +0900
+
+    [*bug] WWSympa: Multiple bugs on permissions to edit files:
+      - Owners could view list config files (`info`, templates etc.) even if
+        edit_list.conf prohibits.  Fixed by removing unused function viewfile.
+      - "Edit list templates" menu lists files prohibited by edit_list.conf.
+      - Owners and listmasters could create or modify arbitrary files in the
+        server with privileges of sympa user.
+
+--- a/src/cgi/wwsympa.fcgi.in
++++ b/src/cgi/wwsympa.fcgi.in
+@@ -194,7 +194,6 @@ our %comm = (
+     'firstpasswd'      => 'do_firstpasswd',
+     'requestpasswd'    => 'do_requestpasswd',
+     'choosepasswd'     => 'do_choosepasswd',
+-    'viewfile'         => 'do_viewfile',
+     'set'              => 'do_set',
+     'admin'            => 'do_admin',
+     'add_request'      => 'do_add_request',
+@@ -642,6 +641,7 @@ our %required_privileges = (
+     'edit_list'         => ['owner'],
+     'edit_list_request' => ['owner'],
+     'edit_template'     => ['listmaster'],
++    'editfile'             => ['owner', 'listmaster'],
+     'editsubscriber'       => ['owner', 'editor'],
+     'get_closed_lists'     => ['listmaster'],
+     'get_inactive_lists'   => ['listmaster'],
+@@ -669,6 +669,7 @@ our %required_privileges = (
+     'restore_list'             => ['listmaster'],
+     'review_family'            => ['listmaster'],
+     'reviewbouncing'           => ['owner', 'editor'],
++    'savefile'                 => ['owner', 'listmaster'],
+     'search_user'              => ['listmaster'],
+     'serveradmin'              => ['listmaster'],
+     'set_dumpvars'             => ['listmaster'],
+@@ -6582,9 +6583,10 @@ sub do_admin {
+         'message.header', 'remind.tt2',
+         'invite.tt2',     'reject.tt2'
+         ) {
+-        next
+-            unless (
+-            $list->may_edit($f, $param->{'user'}{'email'}) eq 'write');
++        my $fa = ($f eq 'info') ? 'info.file' : $f;
++        my ($role, $right) =
++            $list->may_edit($fa, $param->{'user'}{'email'});
++        next unless $right eq 'write';
+         if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) {
+             $param->{'files'}{$f}{'complete'} =
+                 $language->gettext(
+@@ -9205,12 +9207,9 @@ sub do_editfile {
+             my $filename_for_auth = $f;
+             $filename_for_auth = 'info.file'
+                 if ($filename_for_auth eq 'info');
+-            next
+-                unless (
+-                $list->may_edit(
+-                    $filename_for_auth, $param->{'user'}{'email'}
+-                ) eq 'write'
+-                );
++            my ($role, $right) = $list->may_edit(
++                    $filename_for_auth, $param->{'user'}{'email'});
++            next unless $right eq 'write';
+             if ($Sympa::Tools::WWW::filenames{$f}{'gettext_id'}) {
+                 $param->{'files'}{$f}{'complete'} =
+                     $language->gettext(
+@@ -9380,10 +9379,21 @@ sub do_savefile {
+ 
+     $param->{'subtitle'} = sprintf $param->{'subtitle'}, $in{'file'};
+ 
++    unless ($in{'file'} and $Sympa::Tools::WWW::filenames{$in{'file'}}) {
++        Sympa::Report::reject_report_web('user', 'file_not_editable',
++            {'file' => $in{'file'}},
++            $param->{'action'});
++        wwslog('info', 'File %s not editable', $in{'file'});
++        return undef;
++    }
++
+     if ($param->{'list'}) {
+-        unless ($list->is_admin('owner', $param->{'user'}{'email'})
+-            or Sympa::is_listmaster($list, $param->{'user'}->{'email'})) {
+-            Sympa::Report::reject_report_web('auth', 'action_owner', {},
++        my $fa = ($in{'file'} eq 'info') ? 'info.file' : $in{'file'};
++        my ($role, $right) =
++            $list->may_edit($fa, $param->{'user'}{'email'});
++        unless ($right eq 'write') {
++            Sympa::Report::reject_report_web('auth', 'edit_right',
++                {'role' => $role, 'right' => $right},
+                 $param->{'action'}, $list);
+             wwslog('err', 'Not allowed');
+             web_db_log(
diff -Nru sympa-6.2.16~dfsg/debian/patches/series sympa-6.2.16~dfsg/debian/patches/series
--- sympa-6.2.16~dfsg/debian/patches/series	2017-02-15 14:43:11.000000000 +0100
+++ sympa-6.2.16~dfsg/debian/patches/series	2018-07-27 19:48:38.000000000 +0200
@@ -2,5 +2,6 @@
 1002_fix_various_typos
 1003_fix_various_log_severity
 1004_make_build_reproducible.patch
+1005_sympa-6.2.24-sa-2018-001.patch
 2001_ca_bundle_check_as_warning.patch
 2002_support_jquery3_using_migrate.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Wed, Aug 01, 2018 at 10:20:53AM +0200, Salvatore Bonaccorso wrote:
> Hi Adam,
> 
> On Sat, Jul 28, 2018 at 09:25:34AM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Fri, 2018-07-27 at 20:20 +0200, Salvatore Bonaccorso wrote:
> > > Sympa in stable is affected by 863631, where on every update of
> > > sympa, the values reinjectend to sympa config file were false doe to
> > > an issue in the shell function used to prefill the debconf questions.
> > > 
> > > This was earlier fixed for buster, but updates within stretch will
> > > still have the problem.
> > > 
> > > Now, there is a security update planned for CVE-2018-1000550 and for
> > > the above reason I would include the cherry picked fix for the above,
> > > but would like to get an official ack, given it's not for the
> > > security fix.
> > 
> > That looks fine to me, thanks.
> 
> Thanks!

Can be closed now, the fix is included in DSA-4285-1.

Regards,
Salvatore

--- End Message ---
Reply to: