thr3ads.net - Secure testing team - [Secure-testing-team] Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage [Aug 2008]

If this information is useful, please help other people find it:
Share via:

Olivier Berger

2008-Aug-25 12:22 UTC

[Secure-testing-team] Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage

Package: sympa
Version: 5.3.4-5.1
Severity: critical
Tags: security
Justification: root security hole

AFAICT (and thanks to Thijs Kinkhorst <thijs at debian.org> :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more
insecure use of /tmp in sympa.

One quite nasty is the one in /usr/lib/sympa/bin/sympa_wizard.pl, as this script
is used during sympa''s postinst, so with root provileges, IMHO.

Note that the sympa_wizard.pl which needs to be fixed is in debian/ in package
sources (see #496514). Still, the insecure code is also present in
upstream''s sympa_wizard.pl.

Will file separate report for another issue found with less critical severity.

Hope this helps


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, ''testing-proposed-updates''), (500,
''testing'')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sympa depends on:
ii  adduser                      3.110       add and remove users and groups
ii  debconf [debconf-2.0]        1.5.22      Debian configuration management sy
ii  exim4-daemon-light [mail-tra 4.69-6      lightweight Exim MTA (v4) daemon
pn  libarchive-zip-perl          <none>      (no description available)
ii  libc6                        2.7-13      GNU C Library: Shared libraries
pn  libcgi-fast-perl             <none>      (no description available)
pn  libcrypt-ciphersaber-perl    <none>      (no description available)
pn  libdbd-mysql-perl | libdbd-p <none>      (no description available)
ii  libdbi-perl                  1.605-1     Perl5 database interface by Tim Bu
ii  libfcgi-perl                 0.67-2.1+b1 FastCGI Perl module
ii  libintl-perl                 1.16-4      Uniforum message translations syst
ii  libio-stringy-perl           2.110-4     Perl modules for IO from scalars a
ii  libmailtools-perl            2.03-1      Manipulate email in perl programs
pn  libmd5-perl                  <none>      (no description available)
ii  libmime-tools-perl [libmime- 5.427-1     Perl5 modules for MIME-compliant m
pn  libmsgcat-perl               <none>      (no description available)
pn  libnet-ldap-perl             <none>      (no description available)
pn  libtemplate-perl             <none>      (no description available)
ii  libxml-libxml-perl           1.66-1+b1   Perl module for using the GNOME li
pn  mhonarc                      <none>      (no description available)
ii  perl [libmime-base64-perl]   5.10.0-13   Larry Wall''s Practical
Extraction
pn  perl-suid                    <none>      (no description available)
ii  sysklogd [system-log-daemon] 1.5-5       System Logging Daemon

Versions of packages sympa recommends:
ii  doc-base                      0.8.16     utilities to manage online documen
ii  logrotate                     3.7.1-3    Log rotation utility

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd]   2.2.9-7    Apache HTTP Server - traditional n
pn  libapache-mod-fastcgi         <none>     (no description available)
pn  mysql-server | postgresql     <none>     (no description available)
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a

Olivier Berger

2008-Aug-25 14:24 UTC

head link

[Secure-testing-team] CLOSED - Re: Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage

On Mon, Aug 25, 2008 at 02:22:54PM +0200, Olivier Berger
wrote:> 
> AFAICT (and thanks to Thijs Kinkhorst <thijs at debian.org> :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more
insecure use of /tmp in sympa.
> 
> One quite nasty is the one in /usr/lib/sympa/bin/sympa_wizard.pl, as this
script is used during sympa''s postinst, so with root provileges, IMHO.
> 
> Note that the sympa_wizard.pl which needs to be fixed is in debian/ in
package sources (see #496514). Still, the insecure code is also present in
upstream''s sympa_wizard.pl.
> 
Sh*t. There''s no problem in sympa_wizard.pl actually.

The current sympa_wizard doesn''t use any insecure file in /tmp.

This is again a "false positive", as the $new_wwsympa_conf =
''/tmp/wwsympa.conf'' and $new_sympa_conf =
''/tmp/sympa.conf'' aren''t used for a long time
(http://sourcesup.cru.fr/cgi/viewvc.cgi/trunk/src/sympa_wizard.pl?view=diff&r1=1613&r2=1614)...
but the fix was incompletely done (remaining $new_[ww]sympa_conf variables
although @new_[ww]sympa_conf are the only ones used).

Thus, the attached patch may be better, to finally get rid of the /tmp path.

Too bas, this wasn''t really obvious looking at the code :(.

Sorry about bothering.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sympa_wizard.patch
Type: text/x-diff
Size: 722 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080825/8ec9ab18/attachment.patch

Secure testing team - Aug 2008 - Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage

[Secure-testing-team] Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage

[Secure-testing-team] CLOSED - Re: Bug#496518: Insecure use of /tmp in sympa_wizard may lead to system damage