Secure testing team - Aug 2008 - Bug#496520: Insecure use of /tmp in sympa scripts

Package: sympa
Version: 5.3.4-5.1
Severity: grave
Tags: security
Justification: user security hole

AFAICT (and thanks to Thijs Kinkhorst <thijs at debian.org> :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#21) there are more
insecure use of /tmp in sympa.

Besides the one in #496518 there is also a problem with
/usr/lib/sympa/bin/tools.pl in the smime_sign_check() code, which uses a /tmp
temporary file in an unsecure manner.

AFAICT, this may be exploited to overwrite contents of a file with provileges of
the user sympa runs under, but in a non so predictable way as the filename
changes (includes process pid, I guess). And of course this would only occur if
mime signing was used in sympa... which is not so frequent maybe.

This is not most serious, as may only be exploited in specific conditions, but
still, needs to be addressed, IMHO.

This is upstream code, not Debian specific, AFAICT.

Note also that in the grep done in the package files
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494969#31) there are (besides
#496518) some other apprent issues, but which are false positives :
/usr/lib/sympa/bin/tt2.pl (strange perl comment ? to be confirmed)
/usr/lib/sympa/bin/CAS.pm (POD example)
/usr/lib/sympa/bin/sympa_soap_client.pl (unused code in example script, see
#496515)

Hope this helps,


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, ''testing-proposed-updates''), (500,
''testing'')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-openvz-24-004.1d1-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sympa depends on:
ii  adduser                      3.110       add and remove users and groups
ii  debconf [debconf-2.0]        1.5.22      Debian configuration management sy
ii  exim4-daemon-light [mail-tra 4.69-6      lightweight Exim MTA (v4) daemon
pn  libarchive-zip-perl          <none>      (no description available)
ii  libc6                        2.7-13      GNU C Library: Shared libraries
pn  libcgi-fast-perl             <none>      (no description available)
pn  libcrypt-ciphersaber-perl    <none>      (no description available)
pn  libdbd-mysql-perl | libdbd-p <none>      (no description available)
ii  libdbi-perl                  1.605-1     Perl5 database interface by Tim Bu
ii  libfcgi-perl                 0.67-2.1+b1 FastCGI Perl module
ii  libintl-perl                 1.16-4      Uniforum message translations syst
ii  libio-stringy-perl           2.110-4     Perl modules for IO from scalars a
ii  libmailtools-perl            2.03-1      Manipulate email in perl programs
pn  libmd5-perl                  <none>      (no description available)
ii  libmime-tools-perl [libmime- 5.427-1     Perl5 modules for MIME-compliant m
pn  libmsgcat-perl               <none>      (no description available)
pn  libnet-ldap-perl             <none>      (no description available)
pn  libtemplate-perl             <none>      (no description available)
ii  libxml-libxml-perl           1.66-1+b1   Perl module for using the GNOME li
pn  mhonarc                      <none>      (no description available)
ii  perl [libmime-base64-perl]   5.10.0-13   Larry Wall''s Practical
Extraction
pn  perl-suid                    <none>      (no description available)
ii  sysklogd [system-log-daemon] 1.5-5       System Logging Daemon

Versions of packages sympa recommends:
ii  doc-base                      0.8.16     utilities to manage online documen
ii  logrotate                     3.7.1-3    Log rotation utility

Versions of packages sympa suggests:
ii  apache2-mpm-prefork [httpd]   2.2.9-7    Apache HTTP Server - traditional n
pn  libapache-mod-fastcgi         <none>     (no description available)
pn  mysql-server | postgresql     <none>     (no description available)
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a