You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One possible vulnerability you document in your patch, allowing *->root escalation, is passing an alternate configuration file to sympa_newaliases-wrapper.
However, sympa_newaliases.pl has an old bug, as it uses $main::options{config} which is undefined (unlike $options{config}), so it's not exploitable as it is AFAICS (though this would be better dropped entirely).
sympa_newaliases.pl, which is run through a setuid root wrapper, has a feature to read an arbitrary configuration file. Given that the configuration file is parsed as root, and can execute arbitrary commands through its backticks syntax, this would allow an escalation privilege.
In a standard installation, this would allow an unintentional privilege escalation from sympa to full root shell access.
Fortunately the feature has been broken for years. For clarity and to avoid introducing this later, I would suggest dropping the -f/--config option from sympa_newaliases.pl.
Version
any
Installation method
any
Expected behavior
vulnerable dead code dropped
Actual behavior
vulnerable dead code present
Additional information
Following-up on #943 (comment)
sympa_newaliases.pl, which is run through a setuid root wrapper, has a feature to read an arbitrary configuration file. Given that the configuration file is parsed as root, and can execute arbitrary commands through its backticks syntax, this would allow an escalation privilege.
In a standard installation, this would allow an unintentional privilege escalation from
sympato full root shell access.Fortunately the feature has been broken for years. For clarity and to avoid introducing this later, I would suggest dropping the -f/--config option from sympa_newaliases.pl.
Credits goes to @lightsey .
The text was updated successfully, but these errors were encountered: