Bug 15097 - sympa new security issue fixed upstream in 6.1.24 (CVE-2015-1306)
Summary: sympa new security issue fixed upstream in 6.1.24 (CVE-2015-1306)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/630218/
Whiteboard: MGA4-64-OK MGA4-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-20 18:00 CET by David Walser
Modified: 2015-02-26 09:27 CET (History)
5 users (show)

See Also:
Source RPM: sympa-6.1.23-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-01-20 18:00:40 CET
Upstream has issued an advisory on January 15:
https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting

A CVE has been requested:
http://openwall.com/lists/oss-security/2015/01/20/4

The issue is fixed in 6.1.24, and the upstream patch is linked in the message above.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-20 18:00:52 CET

Blocks: (none) => 14674
Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-01-21 22:45:06 CET
Debian has issued an advisory for this on January 20:
https://www.debian.org/security/2015/dsa-3134

URL: (none) => http://lwn.net/Vulnerabilities/630218/

Comment 2 David Walser 2015-01-22 17:29:54 CET
CVE-2015-1306 has been assigned:
http://openwall.com/lists/oss-security/2015/01/22/4

Summary: sympa new security issue fixed upstream in 6.1.24 => sympa new security issue fixed upstream in 6.1.24 (CVE-2015-1306)

Comment 3 Guillaume Rousse 2015-01-23 10:50:59 CET
sympa 6.1.24 commited in cauldron, freeze fush pending.
sympa 6.1.17-3.1 submitted in updates_testing for mageia 4.

Suggested advisory:
A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem.

This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area.

Status: NEW => ASSIGNED

Comment 4 David Walser 2015-01-23 13:58:42 CET
Thanks Guillaume!

Advisory:
========================

Updated sympa packages fix security vulnerability:

A vulnerability have been discovered in Sympa web interface that allows access
to files on the server filesystem. This breach allows to send to a list or a
user any file readable by the Sympa user, located on the server filesystem,
using the Sympa web interface newsletter posting area (CVE-2015-1306).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1306
https://www.sympa.org/security_advisories#security_breaches_in_newsletter_posting
https://www.debian.org/security/2015/dsa-3134
========================

Updated packages in core/updates_testing:
========================
sympa-6.1.17-3.1.mga4
sympa-www-6.1.17-3.1.mga4

from sympa-6.1.17-3.1.mga4.src.rpm

CC: (none) => guillomovitch
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 5 Herman Viaene 2015-01-24 11:53:28 CET
MGA4-64 on HP Probook 6555b.
No installation issues.
Ref bug 6772 trying to find a way to test.
Ran configuration wizard accepting the defaults. Run this as root, normal user would not do.
As normal user point firefox to http://localhost/sympa
This results in downloading a .bin file (type executable), but then????

CC: (none) => herman.viaene

Comment 6 Guillaume Rousse 2015-01-24 14:07:40 CET
(In reply to Herman Viaene from comment #5)
> As normal user point firefox to http://localhost/sympa
> This results in downloading a .bin file (type executable), but then????
Check your web server configuration: if you don't have an handler defined for .fcgi files, apache will serve it as an unknown file type, instead of executing it.
Comment 7 Dave Hodgins 2015-01-25 00:49:53 CET
I've found an additional problem. When configured to use a mysql db, the
sympa service is trying to start before the mysql service, so it fails
to start at bootup. It will start after mysql has started, so it isn't
a configuration issue.

CC: (none) => davidwhodgins

Comment 8 Herman Viaene 2015-01-26 10:42:44 CET
Got the advice from discussion list to install apache-mod_fcgi, did that, but the result is ther same
Comment 9 Guillaume Rousse 2015-01-26 19:23:00 CET
(In reply to Herman Viaene from comment #8)
> Got the advice from discussion list to install apache-mod_fcgi, did that,
> but the result is ther same
As already said, you're likely to miss a configuration directive, not a specific piece of software.
Comment 10 claire robinson 2015-01-26 22:13:25 CET
See https://bugs.mageia.org/show_bug.cgi?id=6772#c5 for a previous similar issue
Comment 11 David Walser 2015-01-26 22:28:52 CET
Perhaps a possible source of breakage is here:
http://svnweb.mageia.org/packages/cauldron/apache-mod_fcgid/current/SOURCES/mod_fcgid.conf?r1=280773&r2=280770&pathrev=280773

Maybe mod_fcgid.conf needs to have this added?
AddHandler fcgid-script fcg fcgi fpl
Comment 12 David Walser 2015-01-26 22:31:49 CET
I also wonder whether the FcgidIPCDir should still be there.
Comment 13 David Walser 2015-01-26 22:42:57 CET
(In reply to David Walser from comment #11)
> Perhaps a possible source of breakage is here:
> http://svnweb.mageia.org/packages/cauldron/apache-mod_fcgid/current/SOURCES/
> mod_fcgid.conf?r1=280773&r2=280770&pathrev=280773
> 
> Maybe mod_fcgid.conf needs to have this added?
> AddHandler fcgid-script fcg fcgi fpl

Nevermind, all of that stuff was moved to fcgid.conf.
Comment 14 claire robinson 2015-01-27 18:30:01 CET
Testing mga4 64

Followed the README.urpmi which gives brief details how to proceed. Created database with user. Configured /etc/my.cnf not to skip-networking.

Changed the fastcgi-scripts handlers in /etc/httpd/conf/sites.d/sympa.conf to fcgid-scripts and installed apache-mod_fcgid.

Checked the handler is set in /etc/httpd/conf/conf.d/fcgid.conf

Getting nowhere with this. It downloads a binary rather than running it as a cgi script. It's probably something trivial I'm missing but no idea what.
Comment 15 claire robinson 2015-01-27 20:16:44 CET
Requesting sysadmin assist for this one please. 
We need to ensure it's right as it'll be used on our servers.

CC: (none) => sysadmin-bugs

Comment 16 Guillaume Rousse 2015-01-31 12:40:49 CET
Everything works fine with a correct handler defined for .fcgi scripts:
- either 'cgi-script'
- either 'fcgid-script' (automatically done by apache-mod_fcgid default configuration)
'fastcgi-script' is an handler for mod_fastcgi, which is obsolete, and unavailable anymore in the distribution.

I just fixed the *default* apache configuration to define cgi-script handler only if mod_fcgid is not available, it should be enough. Beware of browser caching when testing.

Two remarks:
- this is not a regression, the problem was already present in the original package for mageia4
- this only affect the web interface, which is only a component of sympa
Comment 17 Guillaume Rousse 2015-02-01 11:30:56 CET
I forgot in my previous comment: you have to ensure than the handler selected is consistent with use_fast_cgi setting in /etc/sympa/wwsympa.conf
Comment 18 David Walser 2015-02-09 20:52:07 CET
LWN made this entry for CVE-2015-1306:
http://lwn.net/Vulnerabilities/632570/

I asked them to combine it with the previous one.
Comment 19 Herman Viaene 2015-02-16 10:54:16 CET
David, your link results in "Error 404".
Comment 20 Herman Viaene 2015-02-16 11:12:20 CET
MGA4-64 on HP Probook 6555b.
I did remove the sympa packages previously, so today I reinstalled the 6.16.1.17-3.2 packages, after checked that mod_fcgi was installed.
Now the sympa page "Mailing list services" opens OK.

Whiteboard: (none) => MGA4-64-OK

Comment 21 David Walser 2015-02-16 13:40:25 CET
(In reply to Herman Viaene from comment #19)
> David, your link results in "Error 404".

Yep, they combined it back into the one listed in the URL at the top of the bug.
Comment 22 Herman Viaene 2015-02-17 12:04:45 CET
MGA4-32 on Acer D620.
After doing all steps I run into:
Server error!

The server encountered an internal error and was unable to complete your request.

Error message:
End of script output before headers: wwsympa-wrapper.fcgi 
when pointing firefox at http://localhost/sympa
Comment 23 David Walser 2015-02-17 14:18:56 CET
Check your logs in /var/log/httpd, there should be more information about why you got the end of script output message.  Also, did you have have apache-mod_fcgi installed for that test?
Comment 24 Herman Viaene 2015-02-17 14:50:55 CET
apache-mod_fcgi is installed
access_log:
127.0.0.1 - - [17/Feb/2015:14:31:04 +0100] "GET /sympa/ HTTP/1.1" 500 1061 "-" "Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0"
error_log:
Can't locate FCGI.pm in @INC (you may need to install the FCGI module) (@INC contains: /usr/share/sympa/lib /usr/lib/perl5/site_perl/5.18.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.18.1 /usr/lib/perl5/vendor_perl/5.18.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.18.1 /usr/lib/perl5/5.18.1/i386-linux-thread-multi /usr/lib/perl5/5.18.1 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.16.2 /usr/lib/perl5/vendor_perl .) at /usr/lib/perl5/5.18.1/CGI/Fast.pm line 25.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.18.1/CGI/Fast.pm line 25.
Compilation failed in require at /usr/lib/sympa/cgi/wwsympa.fcgi line 121.
[Tue Feb 17 14:31:16.798699 2015] [fcgid:warn] [pid 6551] (104)Connection reset by peer: [client 127.0.0.1:46155] mod_fcgid: error reading data from FastCGI server
[Tue Feb 17 14:31:16.798894 2015] [core:error] [pid 6551] [client 127.0.0.1:46155] End of script output before headers: wwsympa-wrapper.fcgi

I installed packages fcgi, libfcgi0 and perl-FCGI and that solved the problem. "Mailing list services" page is now displayed.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 25 David Walser 2015-02-17 15:00:51 CET
So we have a missing requires on perl-FCGI in some package, but I'm not sure which one it belongs in.
Comment 26 claire robinson 2015-02-17 17:20:49 CET
I guess it should probably be suggests/recommends (whichever we use now) for apache-mod_fcgid.

I think sypma is probably not at fault here.

Guillaume any thoughts?
Comment 27 Guillaume Rousse 2015-02-17 20:01:18 CET
The FCGI perl module is actually a dependency of CGI/Fast perl module, which is distributed either as a CORE perl package, either as a separated perl-CGI package. Given this multiple distribution, it was simpler to add another soft dependency to sympa-www package, both for mageia 4 and for cauldron.
Comment 28 David Walser 2015-02-17 20:05:16 CET
Yeah, I saw the multiple distributions of the Fast.pm, which is why I wasn't sure what to do about this.  Thanks for the fix Guillaume!

The sympa SRPM for mga4 is now sympa-6.1.17-3.3.mga4.  This one should be good.
Comment 29 Rémi Verschelde 2015-02-19 12:26:05 CET
Advisory uploaded. Are the -OK tags still valid or should they be cleaned?

CC: (none) => remi
Whiteboard: MGA4-64-OK MGA4-32-OK => MGA4-64-OK MGA4-32-OK advisory

Comment 30 David Walser 2015-02-19 12:41:57 CET
(In reply to Rémi Verschelde from comment #29)
> Advisory uploaded. Are the -OK tags still valid or should they be cleaned?

It's already been verified to be working, so they don't necessarily need to be cleaned just because it was rebuilt.  All that was added was a recommends on perl-FCGI.  Maybe someone could double-check it with rpmdiff or something, but it should still be OK.  As long as it still installs fine and there wasn't a typo or something, it should be ready to go based on the testing that's been done.
Comment 31 claire robinson 2015-02-25 22:31:18 CET
Testing complete mga4 64 \o/

Taking Herman's previous testing into account I'll validate this one now.


Please push to 4 updates

Thanks

Keywords: (none) => validated_update

Comment 32 Mageia Robot 2015-02-26 09:27:27 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0085.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.