Bug#494969: marked as done (sympa: Leftover debug code may lead to data loss)

Debian Bug Tracking System Thu, 28 Aug 2008 10:11:40 -0700

Your message dated Thu, 28 Aug 2008 19:03:36 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: reopening sympa tmp races
has caused the Debian Bug report #494969,
regarding sympa: Leftover debug code may lead to data loss
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
494969: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: sympa
Version: 5.2.3-1.2+etch1
Severity: critical
Justification: causes serious data loss
Tags: security

Thanks to Dmitry E. Oboukhov, for spotting that the following code in Sympa 
leads to potential data loss due to symlink attacks (I think) :

In wwsympa.fcgi :
     open TMP, ">/tmp/dump";
     $document->dump(\*TMP);
     close TMP;

     open TMP, ">/tmp/dump2";
     &tools::dump_var ($param, 0, \*TMP);
     close TMP;

I'm not completely sure this may be called nor when, but if it may, then better 
not have /tmp/dump linked to something the CGI could write to.

In any case, such code seems like debug to me, so should be removed I guess (to 
be notified upstream, too).

Code in sympa.pl about --make_alias_file option may exhibit a similar 
vulnerability too, although that may not be invoked unless under admin control 
with a more or less changing filename... so may need more testing and analysis 
on that second one.

Source : http://uvw.ru/report.lenny.txt, 
http://lists.debian.org/debian-devel/2008/08/msg00312.html

Hope this helps,


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sympa depends on:
ii  adduser                      3.108       add and remove users and groups
ii  debconf [debconf-2.0]        1.5.22      Debian configuration management sy
ii  exim4-daemon-light [mail-tra 4.69-6      lightweight Exim MTA (v4) daemon
pn  libarchive-zip-perl          <none>      (no description available)
ii  libc6                        2.7-13      GNU C Library: Shared libraries
pn  libcgi-fast-perl             <none>      (no description available)
pn  libcrypt-ciphersaber-perl    <none>      (no description available)
pn  libdbd-mysql-perl | libdbd-p <none>      (no description available)
ii  libdbi-perl                  1.605-1     Perl5 database interface by Tim Bu
ii  libfcgi-perl                 0.67-2.1+b1 FastCGI Perl module
ii  libintl-perl                 1.16-4      Uniforum message translations syst
ii  libio-stringy-perl           2.110-4     Perl modules for IO from scalars a
ii  libmailtools-perl            2.03-1      Manipulate email in perl programs
pn  libmd5-perl                  <none>      (no description available)
ii  libmime-perl                 5.427-1     transitional dummy package
ii  libmime-tools-perl [libmime- 5.427-1     Perl5 modules for MIME-compliant m
pn  libmsgcat-perl               <none>      (no description available)
pn  libnet-ldap-perl             <none>      (no description available)
pn  libtemplate-perl             <none>      (no description available)
ii  libxml-libxml-perl           1.66-1+b1   Perl module for using the GNOME li
pn  mhonarc                      <none>      (no description available)
ii  perl [libmime-base64-perl]   5.10.0-11.1 Larry Wall's Practical Extraction 
pn  perl-suid                    <none>      (no description available)
ii  sysklogd [system-log-daemon] 1.5-5       System Logging Daemon

Versions of packages sympa recommends:
ii  doc-base                      0.8.16     utilities to manage online documen
ii  logrotate                     3.7.1-3    Log rotation utility

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd]   2.2.9-6    Apache HTTP Server - traditional n
pn  libapache-mod-fastcgi         <none>     (no description available)
pn  mysql-server | postgresql     <none>     (no description available)
ii  openssl                       0.9.8g-12  Secure Socket Layer (SSL) binary a

-- 
Olivier BERGER <[EMAIL PROTECTED]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

--- End Message ---

--- Begin Message ---

Version: 5.3.4-5.1

Hi Olivier,
* Olivier Berger <[EMAIL PROTECTED]> [2008-08-28 11:48]:
> On Wed, Aug 27, 2008 at 05:24:20PM +0200, Nico Golde wrote:
[...] 
> The other bug is #496518 ?
> 
> I'm not sure the current bug needed reopening though...

Closed again, sorry I didn't see there was a new bug 
openened for the other issues.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

pgpprZ5Am3pis.pgp
Description: PGP signature

--- End Message ---

Bug#494969: marked as done (sympa: Leftover debug code may lead to data loss)

Reply via email to