A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. Sympa uses two sorts of setuid wrappers: FastCGI wrappers newaliases wrapper The FastCGI wrappers (wwsympa-wrapper.fcgi and sympa_soap_server-wrapper.fcgi) were used to make the web interface running under privileges of a dedicated user. The newaliases wrapper (sympa_newaliases-wrapper) allows Sympa to update the alias database with root privileges. Since these setuid wrappers did not clear environment variables, if environment variables like PERL5LIB were injected, forged code might be loaded and executed under privileges of setuid-ed users. More here: https://github.com/sympa-community/sympa/releases/tag/6.2.56
Created attachment 214878 [details] svn diff mail/sympa upgrade to 6.2.56 and fix perms problems of #246702
Created attachment 214880 [details] svn diff security/vuxml two vuxml entries affecting < 6.2.56
I can't change to patch-ready…
testbuilds@work
A commit references this bug: Author: pi Date: Wed May 27 16:02:33 UTC 2020 New revision: 536696 URL: https://svnweb.freebsd.org/changeset/ports/536696 Log: mail/sympa: update 6.2.54 -> 6.2.56, fix security issue - A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. PR: 246701 Submitted by: William F. Dudley Jr. <wfdudley@gmail.com> Approved by: dgeo@centrale-marseille.fr (maintainer) MFH: 2020Q2 Relnotes: https://github.com/sympa-community/sympa/releases/tag/6.2.56 Security: CVE-2020-10936 https://sympa-community.github.io/security/2020-002.html https://github.com/sympa-community/sympa/issues/943 Changes: head/mail/sympa/Makefile head/mail/sympa/distinfo head/mail/sympa/files/pkg-install.in head/mail/sympa/pkg-plist
(In reply to geoffroy desvernay from comment #2) Thanks. Please note that entries should be added to the beginning of the vuln.xml file, not the end. I'll work it in, but for future reference...
A commit references this bug: Author: pi Date: Wed May 27 16:20:12 UTC 2020 New revision: 536701 URL: https://svnweb.freebsd.org/changeset/ports/536701 Log: security/vuxml: add two entries for mail/sympa PR: 246701 Submitted by: Geoffroy Desvernay <dgeo@centrale-marseille.fr> Changes: head/security/vuxml/vuln.xml
Committed, thanks!
A commit references this bug: Author: pi Date: Wed May 27 16:21:38 UTC 2020 New revision: 536702 URL: https://svnweb.freebsd.org/changeset/ports/536702 Log: MFH: r536696 mail/sympa: update 6.2.54 -> 6.2.56, fix security issue - A vulnerability has been discovered in Sympa web interface by which attacker can execute arbitrary code with root privileges. PR: 246701 Submitted by: William F. Dudley Jr. <wfdudley@gmail.com> Approved by: dgeo@centrale-marseille.fr (maintainer) Relnotes: https://github.com/sympa-community/sympa/releases/tag/6.2.56 Security: CVE-2020-10936 https://sympa-community.github.io/security/2020-002.html https://github.com/sympa-community/sympa/issues/943 Approved by: portmgr (security blanket) Changes: _U branches/2020Q2/ branches/2020Q2/mail/sympa/Makefile branches/2020Q2/mail/sympa/distinfo branches/2020Q2/mail/sympa/files/pkg-install.in branches/2020Q2/mail/sympa/pkg-plist