Bug#961491: CVE-2020-10936: Security flaws in setuid wrappers

2020-12-14 Thread Sylvain Beucler 

On 07/12/2020 12:06, Stefan Hornburg (Racke) wrote:

On 12/7/20 10:52 AM, Sylvain Beucler wrote:

This high-severity issue was marked with:
[buster] - sympa  (Will be fixed via point release)

Consequently I am surprised that it wasn't part of last week's Debian 10.7 
point release.

What happened?
Can we consider switching to a DSA?


Yes, sorry I missed that point release. If you want a DSA, that's fine for me.


Status update: the update is ready and a debdiff was sent for approval 
to the security team 2 days ago.


Cheers!
Sylvain
diff -Nru sympa-6.2.40~dfsg/debian/changelog sympa-6.2.40~dfsg/debian/changelog
--- sympa-6.2.40~dfsg/debian/changelog	2019-01-20 16:57:14.0 +0100
+++ sympa-6.2.40~dfsg/debian/changelog	2020-12-10 14:39:54.0 +0100
@@ -1,3 +1,21 @@
+sympa (6.2.40~dfsg-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2020-10936: Sympa allows privilege escalation through setuid
+wrappers. (Closes: #961491)
+  * CVE-2020-26932: restrict access to sympa_newaliases-wrapper (setuid
+root) to group sympa. (Closes: #971904)
+  * Ask the user whether they want/need sympa_newaliases-wrapper to
+be setuid root (CVE-2020-26880 mitigation).
+  * CVE-2020-9369: prevents creation of temporary files and email
+notifications to listmasters when encountering malformed input
+parameters. (Closes: #952428)
+  * CVE-2020-29668: Sympa allows remote attackers to obtain full SOAP API
+access by sending any arbitrary string (except one from an expired
+cookie) as the cookie value to authenticateAndRun. (Closes: #976020).
+
+ -- Sylvain Beucler   Thu, 10 Dec 2020 14:39:54 +0100
+
 sympa (6.2.40~dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru sympa-6.2.40~dfsg/debian/config sympa-6.2.40~dfsg/debian/config
--- sympa-6.2.40~dfsg/debian/config	2018-12-22 19:47:42.0 +0100
+++ sympa-6.2.40~dfsg/debian/config	2020-12-08 18:37:40.0 +0100
@@ -124,6 +124,10 @@
 db_go
 fi
 
+# Ask for sympa_newaliases-wrapper to be setuid root
+db_input high sympa/sympa_newaliases-wrapper-setuid-root || [ $? -eq 30 ]
+db_go
+
 # Ask for spool directories removal
 db_input medium wwsympa/remove_spool || [ $? -eq 30 ]
 db_go
diff -Nru sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch
--- sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch	1970-01-01 01:00:00.0 +0100
+++ sympa-6.2.40~dfsg/debian/patches/CVE-2020-10936.patch	2020-12-08 19:03:59.0 +0100
@@ -0,0 +1,94 @@
+Origin: https://github.com/sympa-community/sympa/commit/3f8449c647e5ab32cf6f8837cb600c1756b6189c
+Last-Update: 2020-12-08
+Reviewed-by: Sylvain Beucler 
+
+From 3f8449c647e5ab32cf6f8837cb600c1756b6189c Mon Sep 17 00:00:00 2001
+From: IKEDA Soji 
+Date: Fri, 27 Mar 2020 21:28:18 +0900
+Subject: [PATCH] Sympa SA 2020-002 (candidate): Setuid wrappers should clear
+ environment variables to avoid exploits.
+
+---
+ src/cgi/sympa_soap_server-wrapper.fcgi.c | 7 ++-
+ src/cgi/wwsympa-wrapper.fcgi.c   | 7 ++-
+ src/libexec/sympa_newaliases-wrapper.c   | 7 ++-
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
+index f4c6a6645..435d40c6b 100644
+--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
 b/src/cgi/sympa_soap_server-wrapper.fcgi.c
+@@ -6,6 +6,9 @@
+   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++  Copyright 2020 The Sympa Community. See the AUTHORS.md
++  file at the top-level directory of this distribution and at
++  .
+  
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+@@ -24,8 +27,10 @@
+ #include 
+ 
+ int main(int argn, char **argv, char **envp) {
++char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
++
+ setreuid(geteuid(),geteuid());
+ setregid(getegid(),getegid());
+ argv[0] = SYMPASOAP;
+-return execve(SYMPASOAP,argv,envp);
++return execve(SYMPASOAP, argv, myenvp);
+ }
+diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
+index c66c7f82b..34198ecf9 100644
+--- a/src/cgi/wwsympa-wrapper.fcgi.c
 b/src/cgi/wwsympa-wrapper.fcgi.c
+@@ -6,6 +6,9 @@
+   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
+   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
++  Copyright 2020 The Sympa Community. See the AUTHORS.md
++  file at the top-level directory of this distribution and at
++  .
+  
+   This program is free software; you can redistribute it and/or modify

Bug#961491: CVE-2020-10936: Security flaws in setuid wrappers

2020-12-07 Thread Stefan Hornburg (Racke) 
On 12/7/20 10:52 AM, Sylvain Beucler wrote:
> Hi,
> 
> On Sat, 10 Oct 2020 09:45:42 +0300 "Stefan Hornburg (Racke)" 
>  wrote:
>> On 10/7/20 3:03 PM, Sylvain Beucler wrote:
>> > I noticed this local root escalation yesterday and I'm working on a
>> > Stretch LTS update.
>> > See also https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1
>> > > Are there plans to update buster?
>>
>> Hello Sylvain,
>>
>> thanks a lot of for your patch!
>>
>> I will talk to the security team concerning buster.
> 
> This high-severity issue was marked with:
> [buster] - sympa  (Will be fixed via point release)
> 
> Consequently I am surprised that it wasn't part of last week's Debian 10.7 
> point release.
> 
> What happened?
> Can we consider switching to a DSA?
> 
> Sylvain Beucler
> Debian LTS Team
> 
> 

Yes, sorry I missed that point release. If you want a DSA, that's fine for me.

Regards
 Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.



OpenPGP_signature
Description: OpenPGP digital signature

Bug#961491: CVE-2020-10936: Security flaws in setuid wrappers

2020-12-07 Thread Sylvain Beucler 

Hi,

On Sat, 10 Oct 2020 09:45:42 +0300 "Stefan Hornburg (Racke)" 
 wrote:

On 10/7/20 3:03 PM, Sylvain Beucler wrote:
> I noticed this local root escalation yesterday and I'm working on a
> Stretch LTS update.
> See also https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1
> 
> Are there plans to update buster?


Hello Sylvain,

thanks a lot of for your patch!

I will talk to the security team concerning buster.


This high-severity issue was marked with:
[buster] - sympa  (Will be fixed via point release)

Consequently I am surprised that it wasn't part of last week's Debian 
10.7 point release.


What happened?
Can we consider switching to a DSA?

Sylvain Beucler
Debian LTS Team

Bug#961491: CVE-2020-10936: Security flaws in setuid wrappers

2020-05-25 Thread Stefan Hornburg (Racke) 
package: sympa
severity: critical
tags: upstream security patch

Security advisory: https://sympa-community.github.io/security/2020-002.html

Excerpt:

--snip--
A vulnerability has been discovered in Sympa web interface by which attacker 
can execute arbitrary code with root
privileges.

Sympa uses two sorts of setuid wrappers:

FastCGI wrappers
newaliases wrapper

The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) 
were used to make the web interface
running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the 
alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment 
variables like PERL5LIB were injected,
forged code might be loaded and executed under privileges of setuid-ed users.
--snap--

Affects all versions of Sympa. Patch is attached.

The following change should also be considered to switch off installation as 
setuid, which is not needed in most cases:
https://github.com/sympa-community/sympa/pull/944/commits/bc9579c7abddc77c92ad51897bd16aba12383d5f

See also 
https://github.com/sympa-community/sympa/issues/943#issuecomment-633278517 
which claims that the patch
is incomplete.

CVE is not yet published.

Regards
Racke

-- 
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
commit 3f8449c647e5ab32cf6f8837cb600c1756b6189c
Author: IKEDA Soji 
Date:   Fri Mar 27 21:28:18 2020 +0900

Sympa SA 2020-002 (candidate): Setuid wrappers should clear environment variables to avoid exploits.

diff --git a/src/cgi/sympa_soap_server-wrapper.fcgi.c b/src/cgi/sympa_soap_server-wrapper.fcgi.c
index f4c6a66..435d40c 100644
--- a/src/cgi/sympa_soap_server-wrapper.fcgi.c
+++ b/src/cgi/sympa_soap_server-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid());
 setregid(getegid(),getegid());
 argv[0] = SYMPASOAP;
-return execve(SYMPASOAP,argv,envp);
+return execve(SYMPASOAP, argv, myenvp);
 }
diff --git a/src/cgi/wwsympa-wrapper.fcgi.c b/src/cgi/wwsympa-wrapper.fcgi.c
index c66c7f8..34198ec 100644
--- a/src/cgi/wwsympa-wrapper.fcgi.c
+++ b/src/cgi/wwsympa-wrapper.fcgi.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
  
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid()); // Added to fix the segfault
 setregid(getegid(),getegid()); // Added to fix the segfault
 argv[0] = WWSYMPA;
-return execve(WWSYMPA,argv,envp);
+return execve(WWSYMPA, argv, myenvp);
 }
diff --git a/src/libexec/sympa_newaliases-wrapper.c b/src/libexec/sympa_newaliases-wrapper.c
index a399218..a1e5935 100644
--- a/src/libexec/sympa_newaliases-wrapper.c
+++ b/src/libexec/sympa_newaliases-wrapper.c
@@ -6,6 +6,9 @@
   Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
   2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
   Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+  Copyright 2020 The Sympa Community. See the AUTHORS.md
+  file at the top-level directory of this distribution and at
+  .
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -24,8 +27,10 @@
 #include 
 
 int main(int argn, char **argv, char **envp) {
+char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
 setreuid(geteuid(),geteuid());
 setregid(getegid(),getegid());
 argv[0] = SYMPA_NEWALIASES;
-return execve(SYMPA_NEWALIASES, argv, envp);
+return execve(SYMPA_NEWALIASES, argv, myenvp);
 }