List for people interesting in developping and using Sympa packages

[David Verdin <address@concealed>]

Hi Emmanuel,

Le 20/05/2012 16:10, Emmanuel Bouthenot a écrit :

On the Debian side:

Yesterday, I've uploaded sympa 6.1.11~dfsg-1 into unstable with
urgency=high so that it will hit wheezy/testing in less than 3 days.

Great!

In the meantime, I started to work on the fix for sympa in the stable
distribution (6.0.1+dfsg-4). At the beginning, I've just applied the fix
pointed[1] by the various security advisories[2] and I started to test
it.

I noticed that the fix was not complete, a user which is allowed to view
archives for a list (do_arc) is still able to manage (do_arc_manage) and
delete (do_arc_delete) the archives (download is properly handled).

Then, I worked on a patch[3] that will be applied to sympa for the stable
distribution, it restricts manage and delete to owner (like for
download).

You're right. Your patch is better. however, what we distribute is still far more secure than it was...
We'll update thye code with your patch ASAP.

I've also uploaded 6.1.11~dfsg-2 into unstable a few hours ago with this
new fix.

Great again!

Working on this security issue, I also noticed that sympa can leak
sensible? informations in some cases:

Imagine a list at http://mysite/wws/info/mylist

Depending on the configuration of the list, sensible informations could
be displayed on the left pane (number of subscribers, listmasters,
etc.). If the parameter 'info' is set to 'open', anyone could see this
informations but if it is set to 'private' only subscribers could see
this informations.

But if 'info' is set to 'private' and if you try to access
http://mysite/wws/not_a_valid_action/mylist you will be able to see the
informations in the left pane like if info=open, the same leak of data
exists in multiples cases:
 - http://mysite/wws/arc/mylist (anonymous user, info=private, web_archive=private)
 - http://mysite/wws/attach/mylist (anonymous user, wrong input parameter)
 - etc...

IMO, it makes the parameter 'info=private' inefficient.

"info" is supposed to regulate the access to the description of the list.
But you're right in a sense. Having access to the owners' names and the number of subscribers IS an information people would not want to see available.
Actually, the top panel of the list menu could be scenario controlled.
On my opinion:

• the "visibility" scenario should control the availability of the owners list
• the "info" scenario should control access to the number of subscribers and to the editors

What do you think?

Cheers,

David

[1] https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358
[2] http://www.openwall.com/lists/oss-security/2012/05/12/8
[3] http://anonscm.debian.org/gitweb/?p=collab-maint/sympa.git;a=blob;f=debian/patches/2006_fix_CVE-2012-2352.patch;h=cc666afa199f846bd7b2c4dec588b03e41930a06;hb=c6b77bd7af28f14a02ac267bc761add43227f06d


Regards,

M.