Bug 26756 - sympa new security issues CVE-2020-10936, CVE-2020-26880, and CVE-2020-29668
Summary: sympa new security issues CVE-2020-10936, CVE-2020-26880, and CVE-2020-29668
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-09 22:07 CEST by David Walser
Modified: 2021-08-08 20:29 CEST (History)
8 users (show)

See Also:
Source RPM: sympa-6.2.42-1.1.mga7.src.rpm
CVE: CVE-2020-10936
Status comment: Fixed upstream in 6.2.60


Attachments

Comment 1 Lewis Smith 2020-06-11 20:52:42 CEST
Assigning to tmb as the main sympa committer; CC'ing Guillaume as its registered maintainer.

Assignee: bugsquad => tmb
CC: (none) => guillomovitch

Comment 2 David Walser 2020-10-13 18:08:40 CEST
Debian-LTS has issued an advisory for this on October 7:
https://www.debian.org/lts/security/2020/dla-2401
Comment 3 Nicolas Salguero 2020-10-21 15:57:53 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Sympa before 6.2.56 allows privilege escalation. (CVE-2020-10936)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10936
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3J4NZLGAF4ZYK52XEBQDTBNHLGBEPXXN/
https://github.com/sympa-community/sympa/releases/tag/6.2.56
https://sympa-community.github.io/security/2020-002.html
https://www.debian.org/lts/security/2020/dla-2401
========================

Updated packages in core/updates_testing:
========================
sympa-6.2.42-1.2.mga7
sympa-www-6.2.42-1.2.mga7
sympa-mysql-6.2.42-1.2.mga7
sympa-postgresql-6.2.42-1.2.mga7

from SRPM:
sympa-6.2.42-1.2.mga7.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-10936
Status: NEW => ASSIGNED
Assignee: tmb => qa-bugs

Comment 4 Herman Viaene 2020-10-23 12:26:18 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref a load of previous update bugs on it, but nowhere a working example.
Found that the wizard does not create anything on the mysql database.
Found https://sympa-community.github.io/manual/install.html
Checked sympa.conf, created database as in the manual, checked further the sympa.conf accordingly, but all in vain.
All I get is the sympa Welcome screen, the login button does not do anything and all the other links throw Error 404.
Clean install ?????

CC: (none) => herman.viaene

Comment 5 Thomas Backlund 2020-10-25 10:20:33 CET
For Mageia 7 infra, the patch needs to be applied to https://svnweb.mageia.org/packages/updates/infra_7/sympa/

CC: (none) => sysadmin-bugs

Comment 6 David Walser 2020-11-11 00:39:37 CET
Debian-LTS has issued an advisory on November 9:
https://www.debian.org/lts/security/2020/dla-2441

It fixes a new security issue (Mageia 7 and Cauldron are affected).

CC: (none) => qa-bugs
Assignee: qa-bugs => nicolas.salguero
Version: 7 => Cauldron
Whiteboard: (none) => MGA7TOO
Summary: sympa new security issue CVE-2020-10936 => sympa new security issues CVE-2020-10936 and CVE-2020-26880

Comment 7 Thomas Backlund 2020-11-18 23:24:29 CET
(In reply to Thomas Backlund from comment #5)
> For Mageia 7 infra, the patch needs to be applied to
> https://svnweb.mageia.org/packages/updates/infra_7/sympa/

Infra patched for CVE-2020-10936
Comment 8 Thomas Backlund 2020-11-18 23:40:48 CET
(In reply to David Walser from comment #6)
> Debian-LTS has issued an advisory on November 9:
> https://www.debian.org/lts/security/2020/dla-2441
> 
> It fixes a new security issue (Mageia 7 and Cauldron are affected).

The "fix" for this is to remove setuid wrappers with config option: 
https://github.com/sympa-community/sympa/pull/1032/commits/a0cb7ef20701dbd9e102a3ffa9267138b1bae638


I've manually removed suid bit on infra for now
Comment 9 Thomas Backlund 2020-11-19 00:55:21 CET
(In reply to Thomas Backlund from comment #7)
> (In reply to Thomas Backlund from comment #5)
> > For Mageia 7 infra, the patch needs to be applied to
> > https://svnweb.mageia.org/packages/updates/infra_7/sympa/
> 
> Infra patched for CVE-2020-10936

And reverted.
The fix breaks session handling, wich also explains the trouble Herman had in comment 4.

Seems Debian hit the same problem... 
We need to fix it properly...
Comment 10 David Walser 2020-12-18 20:15:02 CET
Debian-LTS has issued an advisory on December 17:
https://www.debian.org/lts/security/2020/dla-2499

This new issue is apparently fixed upstream in 6.2.59b.2.

Summary: sympa new security issues CVE-2020-10936 and CVE-2020-26880 => sympa new security issues CVE-2020-10936, CVE-2020-26880, and CVE-2020-29668
Severity: normal => major

Comment 11 David Walser 2020-12-24 16:27:25 CET
Debian has issued an advisory for this on December 23:
https://www.debian.org/security/2020/dsa-4818
David Walser 2020-12-27 19:01:11 CET

Status comment: (none) => Fixed upstream in 6.2.59b.2

Comment 12 Nicolas Lécureuil 2020-12-28 18:39:12 CET
yes but this is a beta.
Sympa 6.2.60 should be relased soon

CC: (none) => mageia

Comment 13 Nicolas Lécureuil 2020-12-28 18:53:43 CET
f6.2.60 final is planned for the 4rd of January. 

Maybe we can update to beta2 and update to final after.

WDYT ?
Comment 14 David Walser 2020-12-28 19:37:39 CET
I think it would be fine.  What does tmb think?
Comment 15 Guillaume Rousse 2020-12-28 19:43:52 CET
I don't intend to issue two update myself, but feel free to do so if you feel compelled to. This problem is actually 4 years old, if you read the thread on github, I don't think waiting just another week will change much.
Comment 16 Bruno Cornec 2021-01-05 09:53:31 CET
CVE-2020-29668 Fixed with https://github.com/sympa-community/sympa/releases/tag/6.2.60

CC: (none) => bruno

Comment 17 Nicolas Lécureuil 2021-01-05 14:17:44 CET
Sympa 6.2.60 is in the SVN.
Freeze push asked.
Comment 18 Nicolas Lécureuil 2021-01-05 15:04:56 CET
new sympa available on cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 19 David Walser 2021-01-13 20:24:13 CET
Fedora has issued an advisory for this on January 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EFZWDEKQFW3EH665OECDWIWM2MI7T53Y/

Status comment: Fixed upstream in 6.2.59b.2 => Fixed upstream in 6.2.60

David Walser 2021-01-13 20:24:25 CET

Severity: major => critical

Nicolas Salguero 2021-01-20 15:40:35 CET

Assignee: nicolas.salguero => pkg-bugs

Comment 20 Nicolas Lécureuil 2021-01-20 16:27:36 CET
@guillaume: do have a problem if i update sympa to 6.2.60 on mageia 7 ?
Comment 21 Thomas Backlund 2021-01-20 16:39:16 CET
Doing that means you are pushing schema changes in a stable release, which means after update sympa will fail to start until manual itervention and possible config changes are done.
Comment 22 Nicolas Lécureuil 2021-01-20 17:38:14 CET
ok so no-go. I will dig to find commits then.
Comment 23 Nicolas Lécureuil 2021-03-04 19:52:29 CET
Fix for CVE-2020-29668 added in svn.


Can someone please help for  CVE-2020-29668 ?

https://github.com/sympa-community/sympa/issues/1009
Comment 24 David Walser 2021-06-29 01:13:14 CEST
Ping, just a reminder if we're gonna do anything with this, now's the time.
Comment 25 David Walser 2021-07-25 19:13:01 CEST
infra version is fixed now as of yesterday; thanks Thomas!

CC: (none) => tmb

Comment 26 Thomas Backlund 2021-08-08 19:47:27 CEST
Closing this as we have 6.2.60 in Mga8 release, and Mga infra is fixed

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 27 David Walser 2021-08-08 20:29:23 CEST
Changing to OLD since we never pushed the update to Mageia 7 core/updates.

Resolution: FIXED => OLD


Note You need to log in before you can comment on or make changes to this bug.