Package: sympa
Version: 5.2.3-1.2+etch1
Severity: critical
Justification: causes serious data loss
Tags: security
Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa
leads to potential data loss due to symlink attacks (I think) :
In wwsympa.fcgi :
open TMP, ">/tmp/dump";
$document->dump(\*TMP);
close TMP;
open TMP, ">/tmp/dump2";
&tools::dump_var ($param, 0, \*TMP);
close TMP;
I'm not completely sure this may be called nor when, but if it may, then better
not have /tmp/dump linked to something the CGI could write to.
In any case, such code seems like debug to me, so should be removed I guess (to
be notified upstream, too).
Code in sympa.pl about --make_alias_file option may exhibit a similar
vulnerability too, although that may not be invoked unless under admin control
with a more or less changing filename... so may need more testing and analysis
on that second one.
Source : http://uvw.ru/report.lenny.txt,
http://lists.debian.org/debian-devel/2008/08/msg00312.html
Hope this helps,
-- System Information:
Debian Release: lenny/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sympa depends on:
ii adduser 3.108 add and remove users and groups
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii exim4-daemon-light [mail-tra 4.69-6 lightweight Exim MTA (v4) daemon
pn libarchive-zip-perl <none> (no description available)
ii libc6 2.7-13 GNU C Library: Shared libraries
pn libcgi-fast-perl <none> (no description available)
pn libcrypt-ciphersaber-perl <none> (no description available)
pn libdbd-mysql-perl | libdbd-p <none> (no description available)
ii libdbi-perl 1.605-1 Perl5 database interface by Tim Bu
ii libfcgi-perl 0.67-2.1+b1 FastCGI Perl module
ii libintl-perl 1.16-4 Uniforum message translations syst
ii libio-stringy-perl 2.110-4 Perl modules for IO from scalars a
ii libmailtools-perl 2.03-1 Manipulate email in perl programs
pn libmd5-perl <none> (no description available)
ii libmime-perl 5.427-1 transitional dummy package
ii libmime-tools-perl [libmime- 5.427-1 Perl5 modules for MIME-compliant m
pn libmsgcat-perl <none> (no description available)
pn libnet-ldap-perl <none> (no description available)
pn libtemplate-perl <none> (no description available)
ii libxml-libxml-perl 1.66-1+b1 Perl module for using the GNOME li
pn mhonarc <none> (no description available)
ii perl [libmime-base64-perl] 5.10.0-11.1 Larry Wall's Practical Extraction
pn perl-suid <none> (no description available)
ii sysklogd [system-log-daemon] 1.5-5 System Logging Daemon
Versions of packages sympa recommends:
ii doc-base 0.8.16 utilities to manage online documen
ii logrotate 3.7.1-3 Log rotation utility
Versions of packages sympa suggests:
ii apache2-mpm-prefork [httpd] 2.2.9-6 Apache HTTP Server - traditional n
pn libapache-mod-fastcgi <none> (no description available)
pn mysql-server | postgresql <none> (no description available)
ii openssl 0.9.8g-12 Secure Socket Layer (SSL) binary a
--
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
