Bug 246701 - mail/sympa: upgrade to 6.2.56
Summary: mail/sympa: upgrade to 6.2.56
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Kurt Jaeger
URL:
Keywords:
Depends on:
Blocks: 245672
  Show dependency treegraph
 
Reported: 2020-05-24 16:34 UTC by William F. Dudley Jr.
Modified: 2020-05-27 16:22 UTC (History)
3 users (show)

See Also:
dgeo: maintainer-feedback+
pi: merge-quarterly+


Attachments
svn diff mail/sympa (3.53 KB, patch)
2020-05-26 14:02 UTC, geoffroy desvernay
no flags Details | Diff
svn diff security/vuxml (2.71 KB, patch)
2020-05-26 14:14 UTC, geoffroy desvernay
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description William F. Dudley Jr. 2020-05-24 16:34:47 UTC
A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges.

Sympa uses two sorts of setuid wrappers:

    FastCGI wrappers
    newaliases wrapper

The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) were used to make the web interface running under privileges of a dedicated user.

The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges.

Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected, forged code might be loaded and executed under privileges of setuid-ed users.

More here: https://github.com/sympa-community/sympa/releases/tag/6.2.56
Comment 1 geoffroy desvernay 2020-05-26 14:02:01 UTC
Created attachment 214878 [details]
svn diff mail/sympa

upgrade to 6.2.56 and fix perms problems of #246702
Comment 2 geoffroy desvernay 2020-05-26 14:14:56 UTC
Created attachment 214880 [details]
svn diff security/vuxml

two vuxml entries affecting < 6.2.56
Comment 3 geoffroy desvernay 2020-05-26 21:08:04 UTC
I can't change to patch-ready…
Comment 4 Kurt Jaeger freebsd_committer 2020-05-27 05:58:58 UTC
testbuilds@work
Comment 5 commit-hook freebsd_committer 2020-05-27 16:03:22 UTC
A commit references this bug:

Author: pi
Date: Wed May 27 16:02:33 UTC 2020
New revision: 536696
URL: https://svnweb.freebsd.org/changeset/ports/536696

Log:
  mail/sympa: update 6.2.54 -> 6.2.56, fix security issue

  - A vulnerability has been discovered in Sympa web interface by
    which attacker can execute arbitrary code with root privileges.

  PR:		246701
  Submitted by:	William F. Dudley Jr. <wfdudley@gmail.com>
  Approved by:	dgeo@centrale-marseille.fr (maintainer)
  MFH:		2020Q2
  Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.56
  Security:	CVE-2020-10936
  		https://sympa-community.github.io/security/2020-002.html
  		https://github.com/sympa-community/sympa/issues/943

Changes:
  head/mail/sympa/Makefile
  head/mail/sympa/distinfo
  head/mail/sympa/files/pkg-install.in
  head/mail/sympa/pkg-plist
Comment 6 Kurt Jaeger freebsd_committer 2020-05-27 16:03:55 UTC
(In reply to geoffroy desvernay from comment #2)
Thanks. Please note that entries should be added to the beginning
of the vuln.xml file, not the end. I'll work it in, but for future reference...
Comment 7 commit-hook freebsd_committer 2020-05-27 16:20:30 UTC
A commit references this bug:

Author: pi
Date: Wed May 27 16:20:12 UTC 2020
New revision: 536701
URL: https://svnweb.freebsd.org/changeset/ports/536701

Log:
  security/vuxml: add two entries for mail/sympa

  PR:		246701
  Submitted by:	Geoffroy Desvernay <dgeo@centrale-marseille.fr>

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Kurt Jaeger freebsd_committer 2020-05-27 16:22:15 UTC
Committed, thanks!
Comment 9 commit-hook freebsd_committer 2020-05-27 16:22:32 UTC
A commit references this bug:

Author: pi
Date: Wed May 27 16:21:38 UTC 2020
New revision: 536702
URL: https://svnweb.freebsd.org/changeset/ports/536702

Log:
  MFH: r536696

  mail/sympa: update 6.2.54 -> 6.2.56, fix security issue

  - A vulnerability has been discovered in Sympa web interface by
    which attacker can execute arbitrary code with root privileges.

  PR:		246701
  Submitted by:	William F. Dudley Jr. <wfdudley@gmail.com>
  Approved by:	dgeo@centrale-marseille.fr (maintainer)
  Relnotes:	https://github.com/sympa-community/sympa/releases/tag/6.2.56
  Security:	CVE-2020-10936
  		https://sympa-community.github.io/security/2020-002.html
  		https://github.com/sympa-community/sympa/issues/943
  Approved by:	portmgr (security blanket)

Changes:
_U  branches/2020Q2/
  branches/2020Q2/mail/sympa/Makefile
  branches/2020Q2/mail/sympa/distinfo
  branches/2020Q2/mail/sympa/files/pkg-install.in
  branches/2020Q2/mail/sympa/pkg-plist