tags 494969 + patch thanks Here's a copy of upstream's response (http://sourcesup.cru.fr/tracker/?func=detail&atid=167&aid=4430&group_id=23) :
----- Date: 14/08/2008 17:15 Expéditeur: Olivier Salaün Thanks for reporting your thoughts about potential attacks, however it does not seem to be a legitimate threat for the following reasons : 1. new_d_read() in wwsympa.fcgi is a dead function (aimed at replacing wwsympa::do_d_read() ) and therefore this code cannot be run 2. the make_alias_file code in sympa.pl does create a file in /tmp directory, however the data it writes are hard-coded, no possibility of data injection On a more general perspective, I don't consider symlink attacks as significant threats on a mailing list server because these attacks require a user to login an define a symlink. You would not have user accounts on a mailing list server. However, we're going to make some cleanup in the code to a) remove the debug code you mentioned, b) use Sympa's own tmp/ directory instead of /tmp when needed. Patches have been applied on the trunk only : http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa.pl?r1=5071&r2=5111 http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/wwsympa.fcgi?r1=5106&r2=5110 ----- I guess both patches need to be applied to the package then. See attached patch. Anyway some second opinion may be valuable. Best regards, On Wed, Aug 13, 2008 at 03:55:46PM +0200, Olivier Berger wrote: > > Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa > leads to potential data loss due to symlink attacks (I think) : > > In wwsympa.fcgi : > open TMP, ">/tmp/dump"; > $document->dump(\*TMP); > close TMP; > > open TMP, ">/tmp/dump2"; > &tools::dump_var ($param, 0, \*TMP); > close TMP; > > I'm not completely sure this may be called nor when, but if it may, then > better not have /tmp/dump linked to something the CGI could write to. > > In any case, such code seems like debug to me, so should be removed I guess > (to be notified upstream, too). > > Code in sympa.pl about --make_alias_file option may exhibit a similar > vulnerability too, although that may not be invoked unless under admin > control with a more or less changing filename... so may need more testing and > analysis on that second one. > > Source : http://uvw.ru/report.lenny.txt, > http://lists.debian.org/debian-devel/2008/08/msg00312.html > > Hope this helps, >
--- trunk/wwsympa/wwsympa.fcgi.orig 2008-08-05 14:20:54.000000000 +0200 +++ trunk/wwsympa/wwsympa.fcgi 2008-08-14 17:45:23.000000000 +0200 @@ -16334,13 +16334,6 @@ } } - open TMP, ">/tmp/dump"; - $document->dump(\*TMP); - close TMP; - - open TMP, ">/tmp/dump2"; - &tools::dump_var ($param, 0, \*TMP); - close TMP; &web_db_log({'robot' => $robot,'list' => $list->{'name'},'action' => $param->{'action'},'parameters' => "$in{'path'}",'target_email' => "",'msg_id' => '','status' => 'success','error_type' => '','user_email' => $param->{'user'}{'email'},'client' => $ip,'daemon' => $daemon_name}); return 1; } --- trunk/src/sympa.pl.orig 2008-08-05 14:20:54.000000000 +0200 +++ trunk/src/sympa.pl 2008-08-14 17:45:23.000000000 +0200 @@ -407,16 +407,16 @@ exit 0; }elsif ($main::options{'make_alias_file'}) { my $all_lists = &List::get_lists('*'); - unless (open TMP, ">/tmp/sympa_aliases.$$") { - printf STDERR "Unable to create tmp/sympa_aliases.$$, exiting\n"; + unless (open TMP, ">$Conf{'tmpdir'}/sympa_aliases.$$") { + printf STDERR "Unable to create $Conf{'tmpdir'}/sympa_aliases.$$, exiting\n"; exit; } printf TMP "#\n#\tAliases for all Sympa lists open (but not for robots)\n#\n"; close TMP; foreach my $list (@$all_lists) { - system ("--SBINDIR--/alias_manager.pl add $list->{'name'} $list->{'domain'} /tmp/sympa_aliases.$$") if ($list->{'admin'}{'status'} eq 'open'); + system ("--SBINDIR--/alias_manager.pl add $list->{'name'} $list->{'domain'} $Conf{'tmpdir'}/sympa_aliases.$$") if ($list->{'admin'}{'status'} eq 'open'); } - printf ("Sympa aliases file is /tmp/sympa_aliases.$$ file made, you probably need to installed it in your SMTP engine\n"); + printf ("Sympa aliases file is $Conf{'tmpdir'}/sympa_aliases.$$ file made, you probably need to installed it in your SMTP engine\n"); exit 0; }elsif ($main::options{'version'}) {