Developers of Sympa

[Olivier Salaün <address@concealed>]

Hi Olivier,

Olivier Berger a écrit :
> Le mercredi 13 août 2008 à 17:14 +0200, Olivier Salaün a écrit :
>   
> > [...]
> >     
> >    2. the make_alias_file code in sympa.pl does create a file in /tmp
> >       directory, however the data it writes are hard-coded, no
> >       possibility of data injection
> >     
>
> Well, there's still the possibility that these files are already
> existing symlinks to other important files, which may then see their
> content be overwritten. That should be too bad if the sympa.pl was
> running with some privileges (allowing overwrite of the files), and that
> code was reached when running with these preivileges... 
> I've not checked to see what --make_alias_file is supposed to be invoked
> for... but let's hope it's not run periodically as root with a
> predictable PID... 
>
>   
The --make_alias_file would be run very rarely (if ever) by the site 
administrator (as root) to create an alias file for all lists from 
scratch. See the related documentation : 
https://www.sympa.org/manual/running-sympa#sympa.pl
> I'd be glad if you could elaborate on that second issue in sympa.pl to
> know if we have to clear alarming flags on Debian's bugtracker (and
> other security related databases, maybe).
>
>   
I don't think it's relevant to raise an alarm of that kind, but it's up 
to you.
> [...]
> > However, we're going to make some cleanup in the code to a) remove the 
> > debug code you mentioned, b) use Sympa's own tmp/ directory instead of 
> > /tmp when needed.
> >
> >     
>
> Thanks. Feel free to point to appropriate patches in
> http://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4430 please.
>   
Changes have been done and ticket has been closed with appropriate 
references.