On 10/14/20 8:02 AM, Carsten Aulbert wrote: > Package: sympa > Version: 6.2.16~dfsg-3+deb9u3 > Severity: important > > Dear Maintainer(s), > > since applying the security update from 6.2.16~dfsg-3+deb9u2 to > 6.2.16~dfsg-3+deb9u3 I found some troubles with the session handling, > i.e. the web server reports > > 2020/10/13 11:59:18 [error] 2123#2123: *3525 FastCGI sent in stderr: > "Use of uninitialized value in string ne at /usr/share/sympa/lib/Sympa/Se > ssion.pm line 406. > Use of uninitialized value $remote_addr in string ne at > /usr/share/sympa/lib/Sympa/Session.pm line 406" while reading upstream, > client: 192.16 > 8.100.2, server: lists.welcomes-you.com, request: "POST /sympa > HTTP/1.0", upstream: "fastcgi://unix:/run/fcgiwrap.socket:", host: > "FQDN", referrer: "https://FQDN/sympa" > > My configuration may be a bit "nasty" and may contribute here: > > The external https access to sympa is TLS terminated by nginx acting as > a reverse proxy which then sends the requests via a virtual bridge to > the container where sympa is running. > > After comparing the changes between u2 and u3 I fear this change here > > char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL }; > [..] > - return execve(WWSYMPA,argv,envp); > + return execve(WWSYMPA, argv, myenvp); > > to the fcgi wrapper may cause the nginx set variable $ENV{'REMOTE_ADDR'} > not to be set and thus session handling will not work anymore. > > Cheers > > Carsten
Looks like the attached patch is the correct one for older Sympa versions.
Regards
Racke
>
> -- System Information:
> Debian Release: 9.13
> APT prefers oldstable
> APT policy: (500, 'oldstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)
> Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
> (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages sympa depends on:
> ii adduser 3.115
> ii ca-certificates 20200601~deb9u1
> ii dbconfig-common 2.0.8
> ii debconf [debconf-2.0] 1.5.61
> ii fonts-font-awesome 4.7.0~dfsg-1
> ii init-system-helpers 1.48
> ii libarchive-zip-perl 1.59-1+deb9u1
> ii libc6 2.24-11+deb9u4
> ii libcgi-fast-perl 1:2.12-1
> ii libcgi-pm-perl 4.35-1
> ii libclass-singleton-perl 1.5-1
> ii libcrypt-openssl-x509-perl 1.8.7-3
> ii libcrypt-smime-perl 0.19-2
> ii libdatetime-format-mail-perl 0.4030-1
> ii libdbd-csv-perl 0.4900-1
> ii libdbd-mysql-perl 4.041-2
> ii libdbd-pg-perl 3.5.3-1+b2
> ii libdbd-sqlite3-perl 1.54-1
> ii libdbi-perl 1.636-1+deb9u1
> ii libfcgi-perl 0.78-2
> ii libfile-copy-recursive-perl 0.38-1
> ii libfile-nfslock-perl 1.27-1
> ii libhtml-format-perl 2.12-1
> ii libhtml-stripscripts-parser-perl 1.03-1
> ii libhtml-tree-perl 5.03-2
> ii libintl-perl 1.26-2
> ii libio-stringy-perl 2.111-2
> ii libjs-jquery 3.1.1-2+deb9u1
> ii libjs-jquery-migrate-1 1.4.1-1
> ii libjs-jquery-placeholder 2.3.1-2
> ii libjs-jquery-ui 1.12.1+dfsg-4
> ii libjs-modernizr 2.6.2+ds1-1
> ii libjs-twitter-bootstrap 2.0.2+dfsg-10
> ii libmail-dkim-perl 0.40-1
> ii libmailtools-perl 2.18-1
> ii libmime-charset-perl 1.012-2
> ii libmime-encwords-perl 1.014.3-2
> ii libmime-lite-html-perl 1.24-2
> ii libmime-tools-perl 5.508-1
> ii libmsgcat-perl 1.03-6+b3
> ii libnet-cidr-perl 0.18-1
> ii libnet-dns-perl 1.07-1
> ii libnet-ldap-perl 1:0.6500+dfsg-1
> ii libnet-netmask-perl 1.9022-1
> ii libregexp-common-perl 2016060801-1
> ii libsoap-lite-perl 1.20-1
> ii libtemplate-perl 2.24-1.2+b3
> ii libterm-progressbar-perl 2.18-1
> ii libunicode-linebreak-perl 0.0.20160702-1+b1
> ii libxml-libxml-perl 2.0128+dfsg-1+deb9u1
> ii lsb-base 9.20161125
> ii mhonarc 2.6.19-2
> ii perl 5.24.1-3+deb9u7
> ii postfix [mail-transport-agent] 3.1.15-0+deb9u1
> ii rsyslog [system-log-daemon] 8.24.0-1
> ii sqlite3 3.16.2-5+deb9u2
>
> Versions of packages sympa recommends:
> pn apache2-suexec <none>
> pn default-mysql-server | postgresql <none>
> pn doc-base <none>
> pn libapache2-mod-fcgid <none>
> pn libcrypt-ciphersaber-perl <none>
> ii libio-socket-ssl-perl 2.044-1
> ii locales 2.24-11+deb9u4
> ii logrotate 3.11.0-0.1
>
> Versions of packages sympa suggests:
> pn libauthcas-perl <none>
> pn libdbd-odbc-perl <none>
> pn libdbd-oracle-perl <none>
> ii nginx-light [httpd-cgi] 1.10.3-1+deb9u5
>
> -- debconf information excluded
>
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
Index: soap/sympa_soap_server-wrapper.fcgi.c
===================================================================
--- soap/sympa_soap_server-wrapper.fcgi.c (revision 12983)
+++ soap/sympa_soap_server-wrapper.fcgi.c (working copy)
@@ -1,8 +1,10 @@
#include <unistd.h>
int main(int argn, char **argv, char **envp) {
+ char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
argv[0] = SYMPASOAP;
- return execve(SYMPASOAP,argv,envp);
+ return execve(SYMPASOAP, argv, myenvp);
}
Index: src/sympa_newaliases-wrapper.c
===================================================================
--- src/sympa_newaliases-wrapper.c (revision 12983)
+++ src/sympa_newaliases-wrapper.c (working copy)
@@ -24,8 +24,10 @@
#include <unistd.h>
int main(int argn, char **argv, char **envp) {
+ char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
argv[0] = SYMPA_NEWALIASES;
- return execve(SYMPA_NEWALIASES, argv, envp);
+ return execve(SYMPA_NEWALIASES, argv, myenvp);
}
Index: wwsympa/wwsympa-wrapper.fcgi.c
===================================================================
--- wwsympa/wwsympa-wrapper.fcgi.c (revision 12983)
+++ wwsympa/wwsympa-wrapper.fcgi.c (working copy)
@@ -1,8 +1,10 @@
#include <unistd.h>
int main(int argn, char **argv, char **envp) {
+ char *myenvp[] = { "IFS= \t\n", "PATH=/bin:/usr/bin", NULL };
+
setreuid(geteuid(),geteuid()); // Added to fix the segfault
setregid(getegid(),getegid()); // Added to fix the segfault
argv[0] = WWSYMPA;
- return execve(WWSYMPA,argv,envp);
+ return execve(WWSYMPA, argv, myenvp);
}
signature.asc
Description: OpenPGP digital signature

