[Pkg-sympa-devel] Debian RT: sympa / CVE-2012-2352

Emmanuel Bouthenot kolter at openics.org
Sun May 20 15:14:44 UTC 2012 

Hi Security Team,

About CVE-2012-2352[1]

Some days ago a bug report has been opened[2] about a security issue in
sympa (all the versions present in Debian are affected).
 - stable: 6.0.1+dfsg-4
 - unstable/wheezy: 6.1.7~dfsg-2
 - backports: 6.1.4~dfsg-1~bpo60+1

Upstream developers have released sympa 6.1.11 with the fix and they
have also fixed this issue in the 6.0 branch[3]

Yesterday, I've uploaded sympa 6.1.11~dfsg-1 into unstable with urgency=high
and I started to work on a fix for sympa 6.0.1.

While testing the fix on sympa 6.0.1, I noticed that the fix provided by
upstream developers was not complete and still permit to bypass the
authorization mechanisms.

I've definitely fixed the security issue and I'm ready to upload to
stable-security if you are ok.

(In the meantime, I've also uploaded 6.1.11~dfsg-2 in unstable with this
new fix)

Attached is the diff between 6.0.1+dfsg-4 and 6.0.1+dfsg-4+squeeze1,
all the changes are tracked in the 'debian/squeeze' branch[4] of sympa on
git.debian.org.

Here is a draft for the security bulletin
--8<-----------------------------------------------
Package        : sympa
Vulnerability  : authorization mechanisms bypass
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2352
Debian Bug     : 672893

Several vulnerabilities have been discovered in Sympa archive management
that allow to skip the scenario-based authorization mechanisms. This
breach allows to display the archives management page, download and
delete the list's archives by unauthorized users.

For the stable distribution (squeeze), this problem has been fixed in
version 6.0.1+dfsg-4+squeeze1.

For the testing distribution (wheezy), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 6.1.11~dfsg-2.

----------------------------------------------->8--

Don't hesitate to contact me if I forgot something or if you need more
informations.


Regards,

[1] http://security-tracker.debian.org/tracker/CVE-2012-2352
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672893
[3] https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358
[4] http://anonscm.debian.org/gitweb/?p=collab-maint/sympa.git;a=shortlog;h=refs/heads/debian/squeeze

-- 
Emmanuel Bouthenot
  mail: kolter@{openics,debian}.org    gpg: 4096R/0x929D42C3
  xmpp: kolter at im.openics.org          irc: kolter@{freenode,oftc}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sympa_6.0.1_fix_CVE-2012-2352.diff
Type: text/x-diff
Size: 3484 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-sympa-devel/attachments/20120520/ef7a9009/attachment.diff>

More information about the Pkg-sympa-devel mailing list