#972114 sympa: CVE-2020-26880

Package:
src:sympa
Source:
sympa
Submitter:
Salvatore Bonaccorso
Date:
2021-04-26 17:22:02 UTC
Severity:
important
Tags:
#972114#5
Date:
2020-10-12 20:09:41 UTC
From:
To:
Hi,

The following vulnerability was published for sympa, but this is
mainly for having a tracking bug in Debian.

CVE-2020-26880[0]:
| Sympa through 6.2.57b.2 allows a local privilege escalation from the
| sympa user account to full root access by modifying the sympa.conf
| configuration file (which is owned by sympa) and parsing it through
| the setuid sympa_newaliases-wrapper executable.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-26880
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26880
[1] https://github.com/sympa-community/sympa/issues/1009

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#972114#14
Date:
2020-11-05 14:19:39 UTC
From:
To:
Hi,

@racke, following your work at
https://github.com/sympa-community/sympa/pull/1015
it seems we'd need a new debconf question to ask the user whether they
want the setuid wrapper to be activated or not.

This could be added even before the pull request merged I think, as
toggling the setuid bit on the wrapper is equivalent to introducing
'alias_wrapper' + setting it of 'off' + removing the wrapper (IIUC).

What do you think?

If you're OK with this direction I can provide a patch, which I'll
probably backport to stretch to mitigate this vulnerability
(aka fix it for every MTA but sendmail AFAICS)

Cheers!
Sylvain Beucler
Debian LTS Team
#972114#19
Date:
2020-11-05 14:29:27 UTC
From:
To:
Yes, good idea. But it would make sense to add some more documentation and maybe we can also ask about the mail server
in use. E.g. with Exim you don't need to run the alias command at all.

My plan was to release 6.2.58 with that patch, as it is a no-op unless you turn alias_wrapper off.

Regards
        Racke
#972114#24
Date:
2020-11-07 20:18:32 UTC
From:
To:
Hi Stefan,

I implemented conditional setuid for sympa_newaliases-wrapper at
https://salsa.debian.org/sympa-team/sympa/-/merge_requests/2
explaining the situation in the debconf question as well as pointing to
'aliases_program'.

Let me know if that's OK with you and I'll backport it for stretch.

Cheers!
Sylvain Beucler
Debian LTS Team
#972114#29
Date:
2021-01-05 09:13:54 UTC
From:
To:
Hi,

Following user questions, here's my understanding of the current situation:

- The issue is partially fixed in Debian by optionally not setting the
setuid permissions (debconf question), and setting 'aliases_program' to
a method that does not require root (postmap/postalias for Postfix,
/bin/true for Exim4, etc.).

- Likewise, the issue is partially fixed in upstream dev through
   ./configure --disable-setuid_newaliases --disable-setuid

- The issue will be completely fixed once all MTAs are supported, in
particular sendmail which requires calling 'newaliases' as root. This
could be done e.g. setuid-wrapping not sympa but just the 'newaliases'
command, or dropping support for root 'newaliases' entirely.

- Upstream tracks this issue at
https://github.com/sympa-community/sympa/issues/1009
   Discuss the issue there in priority.

Cheers!
Sylvain