Bug 23536 - sympa new security issue CVE-2018-1000550
Summary: sympa new security issue CVE-2018-1000550
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2018-09-07 19:04 CEST by David Walser
Modified: 2019-09-30 21:54 CEST (History)
7 users (show)

See Also:
Source RPM: sympa-6.2.16-1.mga6.src.rpm
Status comment:


Description David Walser 2018-09-07 19:04:17 CEST
Sympa has issued an advisory on July 3:

Debian has issued an advisory for this on September 5:

The issue is fixed upstream in 6.2.32.

Mageia 5 is also affected.
Comment 1 Marja Van Waes 2018-09-08 13:11:57 CEST
Assigning to the registered maintainer.

CC'ing our sysadmins, because of sympa in our infra.

CC: (none) => marja11, sysadmin-bugs
Assignee: bugsquad => guillomovitch

Comment 2 Thomas Backlund 2018-09-08 13:27:28 CEST
No need to think about infra... (for once...) :)

Infra is updated since a long time ago :)
# rpm -qa --last |grep sympa
sympa-www-6.2.32-1.mga6.infra.x86_64          Thu 14 Jun 2018 08:52:31 PM CEST
sympa-6.2.32-1.mga6.infra.x86_64              Thu 14 Jun 2018 08:51:27 PM CEST
sympa-postgresql-6.2.32-1.mga6.infra.x86_64   Thu 14 Jun 2018 08:51:26 PM CEST

But I think it's better to patch sympa in updates, as there are schema changes between 6.2.16 and 6.2.32 that would make it need manual intervention...

CC: (none) => tmb

Comment 3 Guillaume Rousse 2019-02-20 22:39:49 CET
sympa-6.2.16-1.1.mga6, fixing the issue, submitted in updates_testing.
Guillaume Rousse 2019-02-20 22:40:56 CET

Assignee: guillomovitch => qa-bugs

Comment 4 David Walser 2019-02-20 22:44:46 CET
Thanks Guillaume!


Updated sympa packages fix security vulnerability:

Michael Kaczmarczik discovered a vulnerability in the web interface template
editing function of Sympa, a mailing list manager. Owner and listmasters could
use this flaw to create or modify arbitrary files in the server with privileges
of sympa user or owner view list config files even if edit_list.conf prohibits
it (CVE-2018-1000550).


Updated packages in core/updates_testing:

from sympa-6.2.16-1.1.mga6.src.rpm

CC: (none) => guillomovitch

Comment 5 Herman Viaene 2019-02-26 14:48:43 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues at first.
Consulting bug 15097 and bug 6772, found out I had to manually install apache-mod_fgci. Why isn't  that a dependency???
Restarted httpd after this installation, and pointed to
This resulted in Server Error: End of script output before headers: wwsympa-wrapper.fcgi 
Further looking in bugs above and googling on the error brings me references to file /etc/sympa/wwsympa.conf , bu this file does not exist here.

CC: (none) => herman.viaene

Comment 6 Guillaume Rousse 2019-02-26 19:47:37 CET
mod_fcgi is a soft dependency for the web interface, as you can perfectly run it as a standard CGI. And wwsympa.conf is an obsolete configuration file, all related directives are now loaded from regular /etc/sympa/sympa.conf file.
Comment 7 Herman Viaene 2019-03-16 14:09:37 CET
After finding in bug6772 Comment 2 that one has to run sympa_wizard.pl, I I could proceed, accepting almost all default values in the configuration wizard.
Then I could connect to, but trying to login does not seem to have any effect, and selecting any of the other pages just throws the "Error 404".
Comment 8 Thomas Andrews 2019-09-11 14:20:08 CEST
No response to this bug for nearly six months. Mageia 6 goes EOL very soon. What are we to do with this?

CC: (none) => andrewsfarm

Comment 9 David Walser 2019-09-11 14:23:55 CEST
Has anyone else tried to test this?  Is the supposed issue a regression or operator error?  It looks like the package was just patched and is likely fine and should have been pushed a long time ago.
Comment 10 Guillaume Rousse 2019-09-11 19:24:35 CEST
I guess this is an operator error. Sympa web interface may be quite difficult to setup for someone not familiar with configuring a web server manually.
Comment 11 Thomas Andrews 2019-09-11 22:07:35 CEST
OK, Herman did have a clean installation in 32-bit, so I'm going to OK it based on that and validate, sending it on its way. 

Advisory in Comment 4.

Whiteboard: (none) => MGA6-32-OK
Keywords: (none) => validated_update

Thomas Backlund 2019-09-12 19:16:52 CEST

Keywords: (none) => advisory

Comment 12 Mageia Robot 2019-09-12 21:11:21 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 13 Bruno Cornec 2019-09-30 17:16:13 CEST
After updating my sympa server I now have an issue:

[Mon Sep 30 16:50:51.430367 2019] [core:notice] [pid 6071] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
err Conf::_load_binary_cache() Could not create new lock, error was : Couldn't open "/etc/sympa/sympa.conf.bin,lock.5058.6097.5135" [Permission denied]
Use of uninitialized value in string eq at /usr/share/sympa/lib/Conf.pm line 2217.

I'm trying to change ownergroup of the /etc/sympa dir to have apache user as well as sympa able to create the lock file, but without any luck.

Am I missing somthing ?

Resolution: FIXED => (none)
CC: (none) => bruno

Comment 14 David Walser 2019-09-30 21:54:31 CEST
You'll need to open a new bug for that.

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.