Package: sympa Version: 5.2.3-1.2+etch1 Severity: critical Justification: causes serious data loss Tags: security
Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa leads to potential data loss due to symlink attacks (I think) : In wwsympa.fcgi : open TMP, ">/tmp/dump"; $document->dump(\*TMP); close TMP; open TMP, ">/tmp/dump2"; &tools::dump_var ($param, 0, \*TMP); close TMP; I'm not completely sure this may be called nor when, but if it may, then better not have /tmp/dump linked to something the CGI could write to. In any case, such code seems like debug to me, so should be removed I guess (to be notified upstream, too). Code in sympa.pl about --make_alias_file option may exhibit a similar vulnerability too, although that may not be invoked unless under admin control with a more or less changing filename... so may need more testing and analysis on that second one. Source : http://uvw.ru/report.lenny.txt, http://lists.debian.org/debian-devel/2008/08/msg00312.html Hope this helps, -- System Information: Debian Release: lenny/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages sympa depends on: ii adduser 3.108 add and remove users and groups ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii exim4-daemon-light [mail-tra 4.69-6 lightweight Exim MTA (v4) daemon pn libarchive-zip-perl <none> (no description available) ii libc6 2.7-13 GNU C Library: Shared libraries pn libcgi-fast-perl <none> (no description available) pn libcrypt-ciphersaber-perl <none> (no description available) pn libdbd-mysql-perl | libdbd-p <none> (no description available) ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module ii libintl-perl 1.16-4 Uniforum message translations syst ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a ii libmailtools-perl 2.03-1 Manipulate email in perl programs pn libmd5-perl <none> (no description available) ii libmime-perl 5.427-1 transitional dummy package ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m pn libmsgcat-perl <none> (no description available) pn libnet-ldap-perl <none> (no description available) pn libtemplate-perl <none> (no description available) ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li pn mhonarc <none> (no description available) ii perl [libmime-base64-perl] 5.10.0-11.1 Larry Wall's Practical Extraction pn perl-suid <none> (no description available) ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon Versions of packages sympa recommends: ii doc-base 0.8.16 utilities to manage online documen ii logrotate 3.7.1-3 Log rotation utility Versions of packages sympa suggests: ii apache2-mpm-prefork [httpd] 2.2.9-6 Apache HTTP Server - traditional n pn libapache-mod-fastcgi <none> (no description available) pn mysql-server | postgresql <none> (no description available) ii openssl 0.9.8g-12 Secure Socket Layer (SSL) binary a -- Olivier BERGER <[EMAIL PROTECTED]> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]