Bug 23536 - sympa new security issue CVE-2018-1000550
Summary: sympa new security issue CVE-2018-1000550
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-07 19:04 CEST by David Walser
Modified: 2019-03-16 14:09 CET (History)
5 users (show)

See Also:
Source RPM: sympa-6.2.16-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-07 19:04:17 CEST
Sympa has issued an advisory on July 3:
https://sympa-community.github.io/security/2018-001.html

Debian has issued an advisory for this on September 5:
https://www.debian.org/security/2018/dsa-4285

The issue is fixed upstream in 6.2.32.

Mageia 5 is also affected.
Comment 1 Marja Van Waes 2018-09-08 13:11:57 CEST
Assigning to the registered maintainer.

CC'ing our sysadmins, because of sympa in our infra.

Assignee: bugsquad => guillomovitch
CC: (none) => marja11, sysadmin-bugs

Comment 2 Thomas Backlund 2018-09-08 13:27:28 CEST
No need to think about infra... (for once...) :)

Infra is updated since a long time ago :)
# rpm -qa --last |grep sympa
sympa-www-6.2.32-1.mga6.infra.x86_64          Thu 14 Jun 2018 08:52:31 PM CEST
sympa-6.2.32-1.mga6.infra.x86_64              Thu 14 Jun 2018 08:51:27 PM CEST
sympa-postgresql-6.2.32-1.mga6.infra.x86_64   Thu 14 Jun 2018 08:51:26 PM CEST

But I think it's better to patch sympa in updates, as there are schema changes between 6.2.16 and 6.2.32 that would make it need manual intervention...

CC: (none) => tmb

Comment 3 Guillaume Rousse 2019-02-20 22:39:49 CET
sympa-6.2.16-1.1.mga6, fixing the issue, submitted in updates_testing.
Guillaume Rousse 2019-02-20 22:40:56 CET

Assignee: guillomovitch => qa-bugs

Comment 4 David Walser 2019-02-20 22:44:46 CET
Thanks Guillaume!

Advisory:
========================

Updated sympa packages fix security vulnerability:

Michael Kaczmarczik discovered a vulnerability in the web interface template
editing function of Sympa, a mailing list manager. Owner and listmasters could
use this flaw to create or modify arbitrary files in the server with privileges
of sympa user or owner view list config files even if edit_list.conf prohibits
it (CVE-2018-1000550).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000550
https://sympa-community.github.io/security/2018-001.html
https://www.debian.org/security/2018/dsa-4285
========================

Updated packages in core/updates_testing:
========================
sympa-6.2.16-1.1.mga6
sympa-www-6.2.16-1.1.mga6

from sympa-6.2.16-1.1.mga6.src.rpm

CC: (none) => guillomovitch

Comment 5 Herman Viaene 2019-02-26 14:48:43 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues at first.
Consulting bug 15097 and bug 6772, found out I had to manually install apache-mod_fgci. Why isn't  that a dependency???
Restarted httpd after this installation, and pointed to http://127.0.0.1/sympa/
This resulted in Server Error: End of script output before headers: wwsympa-wrapper.fcgi 
Further looking in bugs above and googling on the error brings me references to file /etc/sympa/wwsympa.conf , bu this file does not exist here.

CC: (none) => herman.viaene

Comment 6 Guillaume Rousse 2019-02-26 19:47:37 CET
mod_fcgi is a soft dependency for the web interface, as you can perfectly run it as a standard CGI. And wwsympa.conf is an obsolete configuration file, all related directives are now loaded from regular /etc/sympa/sympa.conf file.
Comment 7 Herman Viaene 2019-03-16 14:09:37 CET
After finding in bug6772 Comment 2 that one has to run sympa_wizard.pl, I I could proceed, accepting almost all default values in the configuration wizard.
Then I could connect to http://127.0.0.1/sympa/, but trying to login does not seem to have any effect, and selecting any of the other pages just throws the "Error 404".

Note You need to log in before you can comment on or make changes to this bug.