Bug#496520: marked as done (Insecure use of /tmp in sympa scripts)

Sun, 05 Oct 2008 04:39:11 -0700 

Your message dated Sun, 05 Oct 2008 11:02:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496520: fixed in sympa 5.3.4-6
has caused the Debian Bug report #496520,
regarding Insecure use of /tmp in sympa scripts
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496520
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: sympa
Version: 5.3.4-5.1
Severity: grave
Tags: security
Justification: user security hole

AFAICT (and thanks to Thijs Kinkhorst <[EMAIL PROTECTED]> : 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more 
insecure use of /tmp in sympa.

Besides the one in #496518 there is also a problem with 
/usr/lib/sympa/bin/tools.pl in the smime_sign_check() code, which uses a /tmp 
temporary file in an unsecure manner.

AFAICT, this may be exploited to overwrite contents of a file with provileges 
of the user sympa runs under, but in a non so predictable way as the filename 
changes (includes process pid, I guess). And of course this would only occur if 
mime signing was used in sympa... which is not so frequent maybe.

This is not most serious, as may only be exploited in specific conditions, but 
still, needs to be addressed, IMHO.

This is upstream code, not Debian specific, AFAICT.

Note also that in the grep done in the package files 
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#31) there are (besides 
#496518) some other apprent issues, but which are false positives :
/usr/lib/sympa/bin/tt2.pl (strange perl comment ? to be confirmed)
/usr/lib/sympa/bin/CAS.pm (POD example)
/usr/lib/sympa/bin/sympa_soap_client.pl (unused code in example script, see 
#496515)

Hope this helps,


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sympa depends on:
ii  adduser                      3.110       add and remove users and groups
ii  debconf [debconf-2.0]        1.5.22      Debian configuration management sy
ii  exim4-daemon-light [mail-tra 4.69-6      lightweight Exim MTA (v4) daemon
pn  libarchive-zip-perl          <none>      (no description available)
ii  libc6                        2.7-13      GNU C Library: Shared libraries
pn  libcgi-fast-perl             <none>      (no description available)
pn  libcrypt-ciphersaber-perl    <none>      (no description available)
pn  libdbd-mysql-perl | libdbd-p <none>      (no description available)
ii  libdbi-perl                  1.605-1     Perl5 database interface by Tim Bu
ii  libfcgi-perl                 0.67-2.1+b1 FastCGI Perl module
ii  libintl-perl                 1.16-4      Uniforum message translations syst
ii  libio-stringy-perl           2.110-4     Perl modules for IO from scalars a
ii  libmailtools-perl            2.03-1      Manipulate email in perl programs
pn  libmd5-perl                  <none>      (no description available)
ii  libmime-tools-perl [libmime- 5.427-1     Perl5 modules for MIME-compliant m
pn  libmsgcat-perl               <none>      (no description available)
pn  libnet-ldap-perl             <none>      (no description available)
pn  libtemplate-perl             <none>      (no description available)
ii  libxml-libxml-perl           1.66-1+b1   Perl module for using the GNOME li
pn  mhonarc                      <none>      (no description available)
ii  perl [libmime-base64-perl]   5.10.0-13   Larry Wall's Practical Extraction 
pn  perl-suid                    <none>      (no description available)
ii  sysklogd [system-log-daemon] 1.5-5       System Logging Daemon

Versions of packages sympa recommends:
ii  doc-base                      0.8.16     utilities to manage online documen
ii  logrotate                     3.7.1-3    Log rotation utility

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd]   2.2.9-7    Apache HTTP Server - traditional n
pn  libapache-mod-fastcgi         <none>     (no description available)
pn  mysql-server | postgresql     <none>     (no description available)
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a

--- End Message ---
--- Begin Message --- 
Source: sympa
Source-Version: 5.3.4-6

We believe that the bug you reported is fixed in the latest version of
sympa, which is due to be installed in the Debian FTP archive:

sympa_5.3.4-6.diff.gz
  to pool/main/s/sympa/sympa_5.3.4-6.diff.gz
sympa_5.3.4-6.dsc
  to pool/main/s/sympa/sympa_5.3.4-6.dsc
sympa_5.3.4-6_amd64.deb
  to pool/main/s/sympa/sympa_5.3.4-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Hornburg (Racke) <[EMAIL PROTECTED]> (supplier of updated sympa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun,  5 Oct 2008 12:36:30 +0200
Source: sympa
Binary: sympa
Architecture: source amd64
Version: 5.3.4-6
Distribution: unstable
Urgency: low
Maintainer: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Changed-By: Stefan Hornburg (Racke) <[EMAIL PROTECTED]>
Description: 
 sympa      - Modern mailing list manager
Closes: 496520 498144 501154
Changes: 
 sympa (5.3.4-6) unstable; urgency=low
 .
   * fix usage of $* Perl variable deprecated in Perl 5.10
     (Closes: #501154, thanks to Micah Anderson <[EMAIL PROTECTED]> and
     David Moreno <[EMAIL PROTECTED]> for the report and patches)
   * add the sympa.pl --upgrade procedure to the debian/postinst
     to migrate existing installs (Closes: #498144, thanks to Micah
     Anderson <[EMAIL PROTECTED]> for the patch)
   * additional patch for insecure use of /tmp (Closes: #496520)
   * missing debian/compat file added
Checksums-Sha1: 
 cb903224136e8550a8c1038328ba84776f50d683 984 sympa_5.3.4-6.dsc
 dd1ef0fe374d681ee7733939ffc935fb147b65a4 111728 sympa_5.3.4-6.diff.gz
 c3254af163c88955210c8df3ee4b979c52c7101a 3110342 sympa_5.3.4-6_amd64.deb
Checksums-Sha256: 
 5351becd9f8ad6e8cb9d8f201adf5d150df4eb21b1e9f2b1897ec8f896f00c4d 984 
sympa_5.3.4-6.dsc
 4ac78bb27088e13c42084de90877a9e491f23b8bf0c98c1002ca87ae555d9d53 111728 
sympa_5.3.4-6.diff.gz
 04358c5a8caa1142ba8379237dca9baf94ea846e69bdaf8f17ccc1258d438399 3110342 
sympa_5.3.4-6_amd64.deb
Files: 
 e75101698fe04a371b712648fc4e8e34 984 mail optional sympa_5.3.4-6.dsc
 b4e0da66e4700120fbecc0d924bd2602 111728 mail optional sympa_5.3.4-6.diff.gz
 011109e7b4d69fa2565350a67b48b58f 3110342 mail optional sympa_5.3.4-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjonQgACgkQjgVfE5tya3Ew9ACfa7VigoJcD6RV3p0ORo0qIjkJ
Ga0An2O9y+kD5M2Wfd3PSmIEKorz6Xqd
=aRMD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to