Bug 5939 - sympa: Security breaches in archives management (CVE-2012-2352)
: sympa: Security breaches in archives management (CVE-2012-2352)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/498073/
: MGA1TOO, MGA1-32-OK mga1-64-OK mga2-6...
: validated_update
: 2317
:
  Show dependency treegraph
 
Reported: 2012-05-16 16:05 CEST by Nicolas Vigier
Modified: 2014-05-08 18:05 CEST (History)
6 users (show)

See Also:
Source RPM: sympa
CVE:
Status comment:


Attachments
Portion of /var/log/httpd/error_log (6.40 KB, text/plain)
2012-07-07 03:20 CEST, Dave Hodgins
Details

Description Nicolas Vigier 2012-05-16 16:05:41 CEST
Sympa package has been updated to fix a security breaches in archives management :
https://www.sympa.org/security_advisories#security_breaches_in_archives_management

An updated package is available in core/updates_testing for Mageia 1.
Comment 1 Dave Hodgins 2012-05-18 00:30:06 CEST
Found out the hard way, that if you install the sympa package, and reboot
before you've setup the database, etc, it will hang during startup,
preventing login, if you're using run level 3.  If you're using 5, you
can kill the processes.

After running the configuration wizard, and creating the db using
mysql -p </usr/share/sympa/bin/create_db.mysql
and installing sympa-www, trying to access http://localhost/sympa I get
an error "Can't locate CGI/Fast.pm" in /var/log/httpd/error_log.

After installing perl-CGI-Fast, and restarting httpd, I'm getting
another error ...
[Thu May 17 18:23:40 2012] [error] [client 127.0.0.1] FastCGI: comm with (dynamic) server "/usr/lib/sympa/cgi/wwsympa-wrapper.fcgi" aborted: (first read) idle timeout (30 sec)
[Thu May 17 18:23:40 2012] [error] [client 127.0.0.1] FastCGI: incomplete headers (0 bytes) received from server "/usr/lib/sympa/cgi/wwsympa-wrapper.fcgi"

So there's at least a missing dependency for perl-CGI-Fast.

I'll see if I can figure out what's causing the latest error.
Comment 2 Dave Hodgins 2012-05-18 03:21:46 CEST
Figured it out.  For some reason granting permissions on the
database to sympa@% doesn't work.  Had to grant the database
permissions to sympa@localhost.

Successfully created a mailing list.  Once the requires for
perl-CGI-Fast has been added, I'll retest.
Comment 3 David Walser 2012-05-21 20:52:26 CEST
Cauldron/Mageia 2 is also vulnerable to this, as pointed out by Guillaume Rousse on the -dev list.

Debian has issued an advisory for this on May 20:
http://www.debian.org/security/2012/dsa-2477
Comment 4 David Walser 2012-05-28 00:29:25 CEST
Nicolas, could you submit an update for Mageia 2 as well?
Comment 5 David Walser 2012-06-14 20:41:08 CEST
Assigning back to Nicolas so this can be fixed in Mageia 2.
Comment 6 Guillaume Rousse 2012-07-05 14:30:24 CEST
I just submitted the following packages to updates_testing:
sympa-6.1.9-2.1.mga2 for mageia 2
sympa-6.1.4-2.2.mga1 for mageia 1

Both fix the the security issue, and have an additional soft dependency (suggest) on CGI::Fast perl module. BTW, a missing dependency should not be considered a blocking issue as it can be easily fixed by the end user. Especially for a security update, as he probably already done it.
Comment 7 claire robinson 2012-07-05 14:48:25 CEST
We shouldn't rely on our users fixing packaging errors.

Missing dependencies are a very simple, quick fix.

That is not common sense or good QA.
Comment 8 Guillaume Rousse 2012-07-05 15:00:40 CEST
And once again, you're adding additional constraints for *security* updates. This problem could have been fixed since one month already, while the other issue eventually been dealt with later, starting with the development branch. BTW, we're discussing about a non-mandatory dependency here...

This lack of discrimination between immediate issues that must be handled immediatly, and issues that should be handled later, is the main cause of the current update congestion.
Comment 9 claire robinson 2012-07-05 15:08:08 CEST
Security update are often the first time QA get their hands on packages.

The speed of the fix is really dependant on the packager, not the QA team. You're right though, it could have been completed quickly.

I would imagine, to a user trying to get the package to run that the fact it doesn't work is an immediate problem, wouldn't you?
Comment 10 David Walser 2012-07-05 15:09:17 CEST
Thanks Guillaume.

Guillaume has previously fixed this in Cauldron as well.  The suggest on
CGI::Fast has been added to the package, so the dependencies should be OK.  I
think the main purpose in pointing out that it's been added is that this will
require depcheck.

Advisory:
========================

Updated sympa packages fix security vulnerability:

The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in
in Sympa before 6.1.11 does not check permissions, which allows remote
attackers to list, read, and delete arbitrary list archives via
vectors related to the (1) do_arc_manage, (2) do_arc_download, or
(3) do_arc_delete functions (CVE-2012-2352).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2352
https://www.sympa.org/security_advisories#security_breaches_in_archives_management
http://www.debian.org/security/2012/dsa-2477
========================

Updated packages in core/updates_testing:
========================
sympa-6.1.4-2.2.mga1
sympa-www-6.1.4-2.2.mga1
sympa-6.1.9-2.1.mga2
sympa-www-6.1.9-2.1.mga2

from SRPMS:
sympa-6.1.4-2.2.mga1.src.rpm
sympa-6.1.9-2.1.mga2.src.rpm
Comment 11 David Walser 2012-07-05 15:09:53 CEST
Just for the record, QA couldn't have pushed this a month ago as the update for Mageia 2 hadn't been built.
Comment 12 claire robinson 2012-07-05 15:11:41 CEST
The main cause of the current 'congestion' as you put it is a lack of volunteers and time being lost to simple fixes like this. QA workload has doubled since the release of Mageia 2 as most updates need testing on both releases.

If you wish to be part of the solution it would be welcomed, but please don't become part of the problem.
Comment 13 Nicolas Vigier 2012-07-05 22:52:17 CEST
(In reply to comment #7)
> We shouldn't rely on our users fixing packaging errors.
> 
> Missing dependencies are a very simple, quick fix.

Missing dependencies is not necessarily a very simple quick fix. New dependencies should be added in updates carefully.

In this case I think the dependency shouldn't have been added. Sympa can be used without perl-CGI-Fast. If someone is using sympa without perl-CGI-Fast, he will unexpectedly get perl-CGI-Fast installed on his system as part of the update, which can create some problems. The new suggest can be added on Cauldron, because users should expect this kind of change when upgrading to a new release. But I don't think stable release updates should have this kind of change.
Comment 14 Nicolas Vigier 2012-07-05 23:11:28 CEST
(In reply to comment #9)
> Security update are often the first time QA get their hands on packages.
> 
> The speed of the fix is really dependant on the packager, not the QA team.
> You're right though, it could have been completed quickly.

Packager may have other time constraints, or more urgent things to do than fix a minor bug. We can ask packagers to make an effort to try to fix security issues quickly, to reduce the time users will have a vulnerable system. But this should be limited to security issues or other major problems. We cannot ask that any minor issue is fixed quickly, or nobody will want to be maintainer of any package.
Comment 15 Dave Hodgins 2012-07-06 00:12:10 CEST
Confirming the suggests has been added as shown by comparing
urpmq --suggests --media "Core Updates Testing (distrib5)" sympa-www
urpmq --suggests --media "Core Release (distrib1)" sympa-www

$ urpmq --whatprovides 'perl(CGI::Fast)'
perl-CGI-Fast 

Our depcheck script doesn't currently handle suggests, so checking manually,
it looks like perl-CGI-Fast is the only module that will have to be
linked for bug 2317, as all of it's requires are either in updates, or
basesystem-minimal.

In reply to comment 13, without perl-CGI-Fast installed, going to
http://localhost/sympa shows ...
Server error!
 The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script. 
 If you think this is a server error, please contact the webmaster. 
Error 500

so sympa-www is not usable without the perl-CGI-Fast package.
With the perl-CGI-Fast package installed, it works.  When the basic
function of a package is found to be broken, I think it's reasonable
for qa to require the package to be fixed.  Security update or not.

Testing complete on Magiea 1 i586.  I'll test Mageia 2 i586 shortly.

During the testing of Mageia 2 i586, I'll confirm whether or not installing
the update using mgaapplet will try to install perl-CGI-Fast.
Comment 16 Nicolas Vigier 2012-07-06 00:23:12 CEST
sympa-www can be used without fast cgi, it just needs to be disabled in the configuration.
Comment 17 David Walser 2012-07-06 00:35:23 CEST
Hence it's a suggest rather than a require, as it's used in the default configuration.  Our packages are supposed to be functional out of the box.
Comment 18 Dave Hodgins 2012-07-06 01:32:29 CEST
(In reply to comment #16)
> sympa-www can be used without fast cgi, it just needs to be disabled in the
> configuration.

I missed that when I ran the wizard.  Thanks for pointing it out.  That makes it
clear why it's not a requires, although I dislike having it default to trying to
use it if it isn't installed.

On Mageia 2, I'm having a problem.

I installed task-lamp, phpmyadmin, sympa and sympa-wwww.  After installing the
update using mgaapplet, I manually installed perl-CGI-Fast.

Got the database setup ok, but when I go to http://localhost/sympa, it's giving me
the file /usr/lib/sympa/cgi/wwsympa-wrapper.fcgi to download, instead of running
it.  I compared the cgi packages I have installed in Mageia 2 vs 1, and then
installed apache-mod_fcgid.  Still getting the file as a download.

I'll see if I can figure out what's missing.
Comment 19 Dave Hodgins 2012-07-06 05:19:00 CEST
This one is driving me blind.  https://127.0.0.1/cgi-bin//test.cgi works fine.
/etc/httpd/conf/httpd.conf is identical between the releases, as are
/etc/httpd/conf/webapps.d/sympa.conf and all of the directory and file
permissions under /usr/lib/sympa.
Comment 20 Dave Hodgins 2012-07-07 03:20:04 CEST
Created attachment 2528 [details]
Portion of /var/log/httpd/error_log

As shown in this extract from the error log, there are now errors with
Insecure dependency in eval while running setuid followed by
a segmentation fault.

This is on Mageia 2 i586.
Comment 21 David Walser 2012-07-07 03:26:29 CEST
According to this Debian bug, these kinds of errors were fixed upstream in 6.1.11:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516164

Looking closer, the sympa changelog says it was actually fixed in 6.1.8 with:
https://sourcesup.cru.fr/scm/viewvc.php?view=revision&root=sympa&revision=7215

Also, Debian recently added a suggests on apache-mod_suexec to sympa.  Maybe we should set it up by default to use that, as explained here:
http://www.sympa.org/manual/web-interface#web_server_setup

Here's Debian's GIT for the sympa package:
http://anonscm.debian.org/gitweb/?p=collab-maint/sympa.git;a=summary
Comment 22 Dave Hodgins 2012-07-07 03:29:54 CEST
I've also filed bug 6714 for the problem referred to in comment 19.
Comment 23 David Walser 2012-07-07 04:09:08 CEST
Oh, we have 6.1.9 and still have the Template.pm problem, I guess it was fixed in another change between then and 6.1.11.
Comment 24 Dave Hodgins 2012-07-08 02:01:17 CEST
Looks like we still need 64 bit testing on Mageia 1.

Once that's done, I think we should go ahead and push the
Mageia 1 update.

The Mageia 1 update is to 6.1.4-2.2.mga1.
     The Mageia 2 Core is 6.1.9-2.mga2
so it won't interfere with upgrading.
Comment 25 Samuel Verschelde 2012-07-08 16:01:31 CEST
I can test on Mageia 1 64 bits but I'd need a detailed procedure. I tried to setup sympa doing the following :
- install sympa and sympa-www
- install and start  mysql
- mysql </usr/share/sympa/bin/create_db.mysql
- install and start  apache
- install and start postfix (no configuration made to it)
- go to http://localhost/sympa

=> it got a sympa web interface but the first link I tried gave me errors and then http://localhost/sympa would not give me the sympa interface anymore, only a 500 HTTP error.

Apache logs contain:

[Sun Jul 08 16:00:36 2012] [error] [client 127.0.0.1] FastCGI: server "/usr/lib64/sympa/cgi/wwsympa-wrapper.fcgi" stderr: Undefined subroutine &main::get_random called at /usr/lib64/sympa/cgi/wwsympa.fcgi line 1129.
[Sun Jul 08 16:00:36 2012] [error] [client 127.0.0.1] FastCGI: server "/usr/lib64/sympa/cgi/wwsympa-wrapper.fcgi" stderr: Undefined subroutine &main::get_random called at /usr/lib64/sympa/cgi/wwsympa.fcgi line 1129.
[Sun Jul 08 16:00:36 2012] [error] [client 127.0.0.1] FastCGI: incomplete headers (0 bytes) received from server "/usr/lib64/sympa/cgi/wwsympa-wrapper.fcgi"
[Sun Jul 08 16:00:36 2012] [warn] FastCGI: (dynamic) server "/usr/lib64/sympa/cgi/wwsympa-wrapper.fcgi" (pid 13787) termination signaled
[Sun Jul 08 16:00:36 2012] [warn] FastCGI: (dynamic) server "/usr/lib64/sympa/cgi/wwsympa-wrapper.fcgi" (pid 13787) terminated due to uncaught signal '15' (Terminated)
[Sun Jul 08 16:00:36 2012] [warn] FastCGI: (dynamic) server "/usr/lib64/sympa/cgi/wwsympa-wrapper.fcgi" (pid 13405) terminated by calling exit with status '255'
Comment 26 Dave Hodgins 2012-07-09 00:33:28 CEST
(In reply to comment #25)
> I can test on Mageia 1 64 bits but I'd need a detailed procedure. I tried to
> setup sympa doing the following :
> - install sympa and sympa-www
> - install and start  mysql
> - mysql </usr/share/sympa/bin/create_db.mysql
> - install and start  apache
> - install and start postfix (no configuration made to it)
> - go to http://localhost/sympa

Configuration for postfix
- edit /etc/postfix/aliases
  Near the end of the file, there's a alias for root, that by default is
  set to postfix.  Change it to your login id.
- run the commands "newaliases && service postfix restart".

Configuration for sympa
As per /usr/share/doc/sympa/README.urpmi run the command sympa_wizard.pl
The answers to that script will update /etc/sympa/sympa.conf

When running the script, there will be several questions relating to email
addresses.  You can either specify an valid email address, or accept the
defaults, in which case you'll need to add additional aliases in postfix,
sympa-request:  root
listmaster:     root
or create ids such as listmaster.

For the mysql user and password, I recommend keeping the defaul user name
of sympa, and setting a password for it.

You'll need to create the user, and give it permissions on the sympa database.
The easiest way, in my opinion to do that, is using phpmyadmin.  I can give
more details on that, if you're not familiar with phpmyadmin.
Comment 27 Guillaume Rousse 2012-07-10 22:47:53 CEST
I just submitted sympa-6.1.9-2.2.mga2 to update_testing with an additional upstream patch fixing the segfault occuring with perl 5.14.2

Additional quick testing notes:
- don't bother with a mail server for testing the web interface
- don't bother to use a specific mysql user for the database, use root user directly, without password
Comment 28 David Walser 2012-07-10 23:06:29 CEST
Thanks Guillaume!

New packages uploaded for Mageia 2:
sympa-6.1.9-2.2.mga2
sympa-www-6.1.9-2.2.mga2

from sympa-6.1.9-2.2.mga2.src.rpm
Comment 29 David Walser 2012-07-10 23:07:57 CEST
Updating the advisory.

Advisory:
========================

Updated sympa packages fix security vulnerability:

The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in
in Sympa before 6.1.11 does not check permissions, which allows remote
attackers to list, read, and delete arbitrary list archives via
vectors related to the (1) do_arc_manage, (2) do_arc_download, or
(3) do_arc_delete functions (CVE-2012-2352).

Additionally, a segfault occuring with perl 5.14.2 has been fixed on
Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2352
https://www.sympa.org/security_advisories#security_breaches_in_archives_management
http://www.debian.org/security/2012/dsa-2477
========================

Updated packages in core/updates_testing:
========================
sympa-6.1.4-2.2.mga1
sympa-www-6.1.4-2.2.mga1
sympa-6.1.9-2.2.mga2
sympa-www-6.1.9-2.2.mga2

from SRPMS:
sympa-6.1.4-2.2.mga1.src.rpm
sympa-6.1.9-2.2.mga2.src.rpm
Comment 30 claire robinson 2012-07-11 13:59:18 CEST
Testing complete mga1 64

It takes a bit of configuring but managed to create a list and subscribed to it, receive emails from sympa etc.
Comment 31 claire robinson 2012-07-11 15:59:12 CEST
Testing mga2 64

Experienced the same as Dave where it is downloading as a file instead of displaying in a browser, used update candidates from bug 6714 tho which cured it so not sympa related.

On both mga1 and mga2 there is a problem with the httpd aliases and allow/deny in /etc/httpd/conf/webapps.d/sympa.conf which have to be manually altered.

From /etc/httpd/conf/webapps.d/sympa.conf:

Alias /static-sympa /var/sympa/static_content

<Directory /var/sympa/static_content>


# grep static_content /etc/sympa/sympa.conf
static_content_path     /var/lib/sympa/static_content

# ll /var/sympa
ls: cannot access /var/sympa: No such file or directory

The Alias and Directory lines point to a non existent directory structure and have to be manually altered to /var/lib/sympa/static_content. Once they are, the web interface is accessible and sympa is usable.

Is that something you want to look at now Guillaume or rather have a separate bug for it?
Comment 32 claire robinson 2012-07-11 16:41:32 CEST
----------------------------------------
Running checks for "sympa-www" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is sympa-www-6.1.4-2.mga1
Latest version found in "Core Updates Testing" is sympa-www-6.1.4-2.2.mga1
----------------------------------------
The following packages will require linking:

perl-CGI-Fast-3.520.0-1.mga1 (Core 32bit Release)
perl-CGI-Fast-3.520.0-1.mga1 (Core Release)
----------------------------------------
Done.

----------------------------------------
Running checks for "sympa-www" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is sympa-www-6.1.9-2.mga2
Latest version found in "Core Updates Testing" is sympa-www-6.1.9-2.2.mga2
----------------------------------------
The following packages will require linking:

perl-CGI-Fast-3.590.0-2.mga2 (Core 32bit Release)
perl-CGI-Fast-3.590.0-2.mga2 (Core Release)
----------------------------------------
Done.
Comment 33 Dave Hodgins 2012-07-11 22:32:55 CEST
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
sympa-6.1.9-2.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
sympa-6.1.4-2.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

The rpm package perl-CGI-Fast will also have to be linked from
Core Release to Core Updates for both Mageia 1 and 2.

Advisory: Updated sympa packages fix security vulnerability:

The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in
in Sympa before 6.1.11 does not check permissions, which allows remote
attackers to list, read, and delete arbitrary list archives via
vectors related to the (1) do_arc_manage, (2) do_arc_download, or
(3) do_arc_delete functions (CVE-2012-2352).

Additionally, a segfault occuring with perl 5.14.2 has been fixed on
Mageia 2.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2352
https://www.sympa.org/security_advisories#security_breaches_in_archives_management
http://www.debian.org/security/2012/dsa-2477

https://bugs.mageia.org/show_bug.cgi?id=5939
Comment 34 Thomas Backlund 2012-07-11 23:02:08 CEST
Package linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0160

Note You need to log in before you can comment on or make changes to this bug.