Hi, > Thanks for reporting your thoughts about potential attacks, however it does > not seem to be a legitimate threat for the following reasons : > > 1. new_d_read() in wwsympa.fcgi is a dead function (aimed at > replacing wwsympa::do_d_read() ) and therefore this code cannot be run > > 2. the make_alias_file code in sympa.pl does create a file in /tmp > directory, however the data it writes are hard-coded, no > possibility of data injection >
I verified that (1) holds so isn't a critical bug to fix, although it would be good to remove it just in case someone enables that function again or copies the code. The explanation of the upstream author for (2) only means the attack is more limited, but you can of course still trash the system with it. As I understand it, sympa.pl does not run as root, am I correct? In any case the code as in make_alias_file should not be in Lenny so the bug is still RC. When grepping the sympa source for "/tmp" I find quite some occurances of other files directly in tmp with insecure filenames. It should be checked for each if that code is executed and whether or not they should be moved to Sympa's private tempdir. > On a more general perspective, I don't consider symlink attacks as > significant threats on a mailing list server because these attacks > require a user to login an define a symlink. You would not have > user accounts on a mailing list server. He may consider that, for Debian that doesn't hold as we've never claimed that these packages may only be used on systems with only fully trusted users. cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
