[Pkg-sympa-commits] [SCM] sympa Debian packaging branch, debian/squeeze, updated. debian/6.0.1+dfsg-4-2-g4aaa0bf

Sun May 20 14:07:28 UTC 2012

The following commit has been merged in the debian/squeeze branch:
commit c6b77bd7af28f14a02ac267bc761add43227f06d
Author: Emmanuel Bouthenot <kolter at openics.org>
Date:   Sun May 20 14:06:25 2012 +0000

    Fix CVE-2012-2352: Possibility to bypass the authorization mechanisms in the archive management page of wwsympa (#672893)

diff --git a/debian/patches/2006_fix_CVE-2012-2352.patch b/debian/patches/2006_fix_CVE-2012-2352.patch
new file mode 100644
index 0000000..cc666af
--- /dev/null
+++ b/debian/patches/2006_fix_CVE-2012-2352.patch
@@ -0,0 +1,68 @@
+Description: Fix possibility to bypass the authorization mechanisms in the
+ archive management page of wwsympa
+Author: Emmanuel Bouthenot <kolter at debian.org>
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/672893
+Last-Update: 2012-05-19
+--- a/wwsympa/wwsympa.fcgi.in
++++ b/wwsympa/wwsympa.fcgi.in
+@@ -557,7 +557,9 @@
+ ## Defines the required privileges to access privileged actions
+ ## You can define a set ofequiivalent privileges in the ARRAYREF
+ my %required_privileges = ('admin' => ['owner','editor'],
++			   'arc_delete' => ['owner'],
+ 			   'arc_download' => ['owner'],
++			   'arc_manage' => ['owner'],
+ 			   'blacklist' => ['owner','editor'],
+ 			   'close_list' => ['privileged_owner'],
+ 			   'close_list_request' => ['privileged_owner'],
+@@ -2205,6 +2207,7 @@
+ 	  &wwslog('info',"missing parameter '$arg_name'");
+ 	  &web_db_log({'status' => 'error',
+ 		       'error_type' => 'missing_parameter'});
++	  delete $param->{'list'};
+ 	  return undef;
+ 	}
+       }
+@@ -2226,6 +2229,7 @@
+       &wwslog('info','authorization failed, insufficient privileges');
+       &web_db_log({'status' => 'error',
+ 		   'error_type' => 'authorization'});		      
++      delete $param->{'list'};
+       return undef;
+     }
+   }
+@@ -15956,6 +15960,9 @@
+ sub do_arc_manage {
+     &wwslog('info', "do_arc_manage ($in{'list'})");
+ 
++    ## Access control
++    return undef unless (defined &check_authz('do_arc', 'web_archive.access'));
++
+     my $search_base = $wwsconf->{'arc_path'}.'/'.$list->get_list_id();
+     opendir ARC, "$search_base";
+     foreach my $dir (sort {$b cmp $a} grep(!/^\./,readdir ARC)) {
+@@ -15972,7 +15979,10 @@
+ sub do_arc_download {
+     
+     &wwslog('info', "do_arc_download ($in{'list'})");
+-    
++
++    ## Access control
++    return undef unless (defined &check_authz('do_arc', 'web_archive.access'));
++
+     ##zip file name:listname_archives.zip  
+     my $zip_file_name = $in{'list'}.'_archives.zip';
+     my $zip_abs_file = $Conf{'tmpdir'}.'/'.$zip_file_name;
+@@ -16072,7 +16082,10 @@
+     my @abs_dirs;
+     
+     &wwslog('info', "do_arc_delete ($in{'list'})");
+-    
++
++    ## Access control
++    return undef unless (defined &check_authz('do_arc', 'web_archive.access'));
++
+     unless (defined  $in{'directories'}){
+       	&report::reject_report_web('user','select_month',{},$param->{'action'});
+ 	&wwslog('info','No Archives months selected');
diff --git a/debian/patches/series b/debian/patches/series
index 745da08..a314a50 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@
 2004_pg_create_db.patch
 1010_sqlite_upgrade.patch
 2005_disable_build_non_dfsg_po_files.patch
+2006_fix_CVE-2012-2352.patch

-- 
sympa Debian packaging

