Your message dated Thu, 24 May 2012 22:06:01 +0000
with message-id <e1sxgat-0007li...@franck.debian.org>
and subject line Bug#672893: fixed in sympa 6.0.1+dfsg-4+squeeze1
has caused the Debian Bug report #672893,
regarding wwsympa.fcgi fails to check download/delete permissions properly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
672893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672893
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sympa
Version: 6.0.1+dfsg-4
Severity: grave
Sympa versions <6.1.11 have a severe security issue where any user can
download or delete the archives of a mailing list if they know the name
of the list.
Debian has been tracking it at
http://security-tracker.debian.org/tracker/CVE-2012-2352
I'm attaching a patch (taken from upstream commit:
https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&pathrev=7358
) that fixes the problem
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (800, 'stable'), (650, 'testing'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- wwsympa.fcgi 2012-05-14 11:53:36.000000000 +0300
+++ wwsympa.fcgi 2012-05-14 11:55:09.000000000 +0300
@@ -15956,6 +15956,11 @@
sub do_arc_manage {
&wwslog('info', "do_arc_manage ($in{'list'})");
+ ## Access Control
+ unless (defined &check_authz('do_arc', 'web_archive.access')) {
+ return undef;
+ }
+
my $search_base = $wwsconf->{'arc_path'}.'/'.$list->get_list_id();
opendir ARC, "$search_base";
foreach my $dir (sort {$b cmp $a} grep(!/^\./,readdir ARC)) {
@@ -15972,6 +15977,11 @@
sub do_arc_download {
&wwslog('info', "do_arc_download ($in{'list'})");
+
+ ## Access Control
+ unless (defined &check_authz('do_arc', 'web_archive.access')) {
+ return undef;
+ }
##zip file name:listname_archives.zip
my $zip_file_name = $in{'list'}.'_archives.zip';
@@ -16072,6 +16082,11 @@
my @abs_dirs;
&wwslog('info', "do_arc_delete ($in{'list'})");
+
+ ## Access Control
+ unless (defined &check_authz('do_arc', 'web_archive.access')) {
+ return undef;
+ }
unless (defined $in{'directories'}){
&report::reject_report_web('user','select_month',{},$param->{'action'});
--- End Message ---
--- Begin Message ---
Source: sympa
Source-Version: 6.0.1+dfsg-4+squeeze1
We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:
sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
to main/s/sympa/sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
sympa_6.0.1+dfsg-4+squeeze1.dsc
to main/s/sympa/sympa_6.0.1+dfsg-4+squeeze1.dsc
sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
to main/s/sympa/sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 672...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kol...@debian.org> (supplier of updated sympa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 19 May 2012 15:49:55 +0000
Source: sympa
Binary: sympa
Architecture: source amd64
Version: 6.0.1+dfsg-4+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Sympa team <pkg-sympa-de...@lists.alioth.debian.org>
Changed-By: Emmanuel Bouthenot <kol...@debian.org>
Description:
sympa - Modern mailing list manager
Closes: 672893
Changes:
sympa (6.0.1+dfsg-4+squeeze1) stable-security; urgency=high
.
* Fix CVE-2012-2352: Possibility to bypass the authorization mechanisms in
the archive management page of wwsympa (Closes: #672893)
Checksums-Sha1:
162c35d2e518c77807208e80e0d57e87af495a93 2580 sympa_6.0.1+dfsg-4+squeeze1.dsc
9efaf6c3531c635ba935ec589545584e36228a60 4675743 sympa_6.0.1+dfsg.orig.tar.gz
f60592589f92c13532f4b675b6b344c1f969e047 108365
sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
fc4a079368cdbcd7a7fd18ffd399fe88f567e6db 2524590
sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
Checksums-Sha256:
e1b5e06327d23f210762ae7c22c6c4211f0e667eb39644aeb170a174e60e93ae 2580
sympa_6.0.1+dfsg-4+squeeze1.dsc
a5637ff0d870c0d266fcbadaf6a45c3d0f7dd3397e413a7731b62ad34a6d2e6b 4675743
sympa_6.0.1+dfsg.orig.tar.gz
8f3e39b68ad8c30c90577cd9a514e356725691cf5b150982d1381437c39583e5 108365
sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
6569d4ad481bec65f4af39230334b960bdc8a3bc0e85ee5aac79f91b48e3d380 2524590
sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
Files:
43de70f43a457e8415a8411eb5af7ee6 2580 mail optional
sympa_6.0.1+dfsg-4+squeeze1.dsc
fe14224f015aa79dee67979e65f8a988 4675743 mail optional
sympa_6.0.1+dfsg.orig.tar.gz
857d6fcabba5325330874e859bef60ca 108365 mail optional
sympa_6.0.1+dfsg-4+squeeze1.debian.tar.gz
3c66d31c7c7afa879165043097b480e5 2524590 mail optional
sympa_6.0.1+dfsg-4+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPuRUiAAoJEEsHdyOSnULDeIgP/26ryNFJsr4uHKdN0uI/AfJ4
pnIM3zCWTEK1svlrL8w6GsAcji9ij3McMV701G7LKGimBpGD8yR/qvRuMaJbUyCh
gHjoVMQwlvaWv81QMtVbgFgWA3HD9UVTcjJp0NAkz/5Wc/zRPzXWdMmy3smq5yRU
Pb4bBH5l3t7shMEgpHvApIlY0BcScZ3bbx7KIJ+dfZDjbrYFWr8/ZP9DrHuGkhD8
QbeRphwZQBTuDDm73Ewqu933kKnHKyu0KrZzw8uhU/2Lf1qp39HxV02GI2Hz/OAb
dKNVQ4WTEP/tveqoaJOkS+9wuudrnRaZKXWDu73v0j/pEkTXS+b5BWnAEGa2EuBE
rz9Z09jSKfjsrwPXOVjMHkOD5x3jYdAevvmcwgUZzfsXZTC7s/MX4TyNkdF1CJqP
WzQ5vVpbtC0Ov7NxIWJ6uN5prkXHb4qRXJSavLk5+aYDCI/6mEDYb6gOoEVmJ9nY
EWoUgePv05MAsKFnPX/twtuMu05rMoYXk/RJ36vvXD+RrDGCeBPY1L/jSCLHwlDC
eBu2aj5vcedOxuQmglYK1Vc1pUHp073u14A0cCxw5WkeATaFQn1ynTTUhOSTz5SV
oiNVIb8S0mkIDtert7joKOSBesKdYvHo7vrK80kl64CSBc9XosfOlDaCl9OOVClx
Q6KNFM5jOFczy1kx5axH
=Nvfq
-----END PGP SIGNATURE-----
--- End Message ---
