List for people interesting in developping and using Sympa packages

[Emmanuel Bouthenot <address@concealed>]

Hi,

On Mon, May 14, 2012 at 06:32:54PM +0200, David Verdin wrote:
> Hi guys,
> 
> I've been contacted by the RENATEr CERt to issue a security announce
> to our community, related to the archive management problme I told
> you about in my previous message. they want ot make this announce
> tomrrow because the information regarding this security issue is
> already spreading.
> I'd like to let them know whiwh packages could be updated to fix this
> problem.
> So you have any plans to update your own packages this week?

On the Debian side:

Yesterday, I've uploaded sympa 6.1.11~dfsg-1 into unstable with
urgency=high so that it will hit wheezy/testing in less than 3 days.

In the meantime, I started to work on the fix for sympa in the stable
distribution (6.0.1+dfsg-4). At the beginning, I've just applied the fix
pointed[1] by the various security advisories[2] and I started to test
it.

I noticed that the fix was not complete, a user which is allowed to view
archives for a list (do_arc) is still able to manage (do_arc_manage) and
delete (do_arc_delete) the archives (download is properly handled).

Then, I worked on a patch[3] that will be applied to sympa for the stable
distribution, it restricts manage and delete to owner (like for
download).

I've also uploaded 6.1.11~dfsg-2 into unstable a few hours ago with this
new fix.

Working on this security issue, I also noticed that sympa can leak
sensible? informations in some cases:

Imagine a list at http://mysite/wws/info/mylist

Depending on the configuration of the list, sensible informations could
be displayed on the left pane (number of subscribers, listmasters,
etc.). If the parameter 'info' is set to 'open', anyone could see this
informations but if it is set to 'private' only subscribers could see
this informations.

But if 'info' is set to 'private' and if you try to access
http://mysite/wws/not_a_valid_action/mylist you will be able to see the
informations in the left pane like if info=open, the same leak of data
exists in multiples cases:
 - http://mysite/wws/arc/mylist (anonymous user, info=private, 
web_archive=private)
 - http://mysite/wws/attach/mylist (anonymous user, wrong input parameter)
 - etc...

IMO, it makes the parameter 'info=private' inefficient.

[1] 
https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358
[2] http://www.openwall.com/lists/oss-security/2012/05/12/8
[3] 
http://anonscm.debian.org/gitweb/?p=collab-maint/sympa.git;a=blob;f=debian/patches/2006_fix_CVE-2012-2352.patch;h=cc666afa199f846bd7b2c4dec588b03e41930a06;hb=c6b77bd7af28f14a02ac267bc761add43227f06d


Regards,

M.

-- 
Emmanuel Bouthenot
  mail: kolter@{openics,debian}.org    gpg: 4096R/0x929D42C3
  xmpp: address@concealed          irc: kolter@{freenode,oftc}