Package: sympa
Version: 6.0.1+dfsg-4
Severity: grave
Sympa versions 6.1.11 have a severe security issue where any user can
download or delete the archives of a mailing list if they know the name
of the list.
Debian has been tracking it at
http://security-tracker.debian.org/tracker/CVE-2012-2352
I'm attaching a patch (taken from upstream commit:
https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympapathrev=7358
) that fixes the problem
-- System Information:
Debian Release: 6.0.4
APT prefers stable
APT policy: (800, 'stable'), (650, 'testing'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- wwsympa.fcgi2012-05-14 11:53:36.0 +0300
+++ wwsympa.fcgi2012-05-14 11:55:09.0 +0300
@@ -15956,6 +15956,11 @@
sub do_arc_manage {
wwslog('info', do_arc_manage ($in{'list'}));
+ ## Access Control
+ unless (defined check_authz('do_arc', 'web_archive.access')) {
+ return undef;
+ }
+
my $search_base = $wwsconf-{'arc_path'}.'/'.$list-get_list_id();
opendir ARC, $search_base;
foreach my $dir (sort {$b cmp $a} grep(!/^\./,readdir ARC)) {
@@ -15972,6 +15977,11 @@
sub do_arc_download {
wwslog('info', do_arc_download ($in{'list'}));
+
+ ## Access Control
+ unless (defined check_authz('do_arc', 'web_archive.access')) {
+ return undef;
+ }
##zip file name:listname_archives.zip
my $zip_file_name = $in{'list'}.'_archives.zip';
@@ -16072,6 +16082,11 @@
my @abs_dirs;
wwslog('info', do_arc_delete ($in{'list'}));
+
+ ## Access Control
+ unless (defined check_authz('do_arc', 'web_archive.access')) {
+ return undef;
+ }
unless (defined $in{'directories'}){
report::reject_report_web('user','select_month',{},$param-{'action'});