tags 494969 + patch
thanks
Here's a copy of upstream's response
(http://sourcesup.cru.fr/tracker/?func=detail&atid=167&aid=4430&group_id=23) :
-----
Date: 14/08/2008 17:15
Expéditeur: Olivier Salaün
Thanks for reporting your thoughts about potential attacks, however it does not
seem to be a legitimate threat for the following reasons :
1. new_d_read() in wwsympa.fcgi is a dead function (aimed at
replacing wwsympa::do_d_read() ) and therefore this code cannot be run
2. the make_alias_file code in sympa.pl does create a file in /tmp
directory, however the data it writes are hard-coded, no
possibility of data injection
On a more general perspective, I don't consider symlink attacks as significant
threats on a mailing list server because these attacks require a user to login
an define a symlink. You would not have
user accounts on a mailing list server.
However, we're going to make some cleanup in the code to a) remove the debug
code you mentioned, b) use Sympa's own tmp/ directory instead of /tmp when
needed.
Patches have been applied on the trunk only :
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa.pl?r1=5071&r2=5111
http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/wwsympa/wwsympa.fcgi?r1=5106&r2=5110
-----
I guess both patches need to be applied to the package then.
See attached patch.
Anyway some second opinion may be valuable.
Best regards,
On Wed, Aug 13, 2008 at 03:55:46PM +0200, Olivier Berger wrote:
>
> Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa
> leads to potential data loss due to symlink attacks (I think) :
>
> In wwsympa.fcgi :
> open TMP, ">/tmp/dump";
> $document->dump(\*TMP);
> close TMP;
>
> open TMP, ">/tmp/dump2";
> &tools::dump_var ($param, 0, \*TMP);
> close TMP;
>
> I'm not completely sure this may be called nor when, but if it may, then
> better not have /tmp/dump linked to something the CGI could write to.
>
> In any case, such code seems like debug to me, so should be removed I guess
> (to be notified upstream, too).
>
> Code in sympa.pl about --make_alias_file option may exhibit a similar
> vulnerability too, although that may not be invoked unless under admin
> control with a more or less changing filename... so may need more testing and
> analysis on that second one.
>
> Source : http://uvw.ru/report.lenny.txt,
> http://lists.debian.org/debian-devel/2008/08/msg00312.html
>
> Hope this helps,
>
--- trunk/wwsympa/wwsympa.fcgi.orig 2008-08-05 14:20:54.000000000 +0200
+++ trunk/wwsympa/wwsympa.fcgi 2008-08-14 17:45:23.000000000 +0200
@@ -16334,13 +16334,6 @@
}
}
- open TMP, ">/tmp/dump";
- $document->dump(\*TMP);
- close TMP;
-
- open TMP, ">/tmp/dump2";
- &tools::dump_var ($param, 0, \*TMP);
- close TMP;
&web_db_log({'robot' => $robot,'list' => $list->{'name'},'action' => $param->{'action'},'parameters' => "$in{'path'}",'target_email' => "",'msg_id' => '','status' => 'success','error_type' => '','user_email' => $param->{'user'}{'email'},'client' => $ip,'daemon' => $daemon_name});
return 1;
}
--- trunk/src/sympa.pl.orig 2008-08-05 14:20:54.000000000 +0200
+++ trunk/src/sympa.pl 2008-08-14 17:45:23.000000000 +0200
@@ -407,16 +407,16 @@
exit 0;
}elsif ($main::options{'make_alias_file'}) {
my $all_lists = &List::get_lists('*');
- unless (open TMP, ">/tmp/sympa_aliases.$$") {
- printf STDERR "Unable to create tmp/sympa_aliases.$$, exiting\n";
+ unless (open TMP, ">$Conf{'tmpdir'}/sympa_aliases.$$") {
+ printf STDERR "Unable to create $Conf{'tmpdir'}/sympa_aliases.$$, exiting\n";
exit;
}
printf TMP "#\n#\tAliases for all Sympa lists open (but not for robots)\n#\n";
close TMP;
foreach my $list (@$all_lists) {
- system ("--SBINDIR--/alias_manager.pl add $list->{'name'} $list->{'domain'} /tmp/sympa_aliases.$$") if ($list->{'admin'}{'status'} eq 'open');
+ system ("--SBINDIR--/alias_manager.pl add $list->{'name'} $list->{'domain'} $Conf{'tmpdir'}/sympa_aliases.$$") if ($list->{'admin'}{'status'} eq 'open');
}
- printf ("Sympa aliases file is /tmp/sympa_aliases.$$ file made, you probably need to installed it in your SMTP engine\n");
+ printf ("Sympa aliases file is $Conf{'tmpdir'}/sympa_aliases.$$ file made, you probably need to installed it in your SMTP engine\n");
exit 0;
}elsif ($main::options{'version'}) {
