CVE-2020-26932

NameCVE-2020-26932
Descriptiondebian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2401-1, DSA-4818-1
Debian Bugs971904

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sympa (PTS)jessie, jessie (lts)6.1.23~dfsg-2+deb8u3vulnerable
stretch (security), stretch (lts), stretch6.2.16~dfsg-3+deb9u5fixed
buster (security), buster, buster (lts)6.2.40~dfsg-1+deb10u1fixed
bullseye6.2.60~dfsg-4fixed
bookworm6.2.70~dfsg-2fixed
sid, trixie6.2.72~dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sympasourcejessie(unfixed)end-of-life
sympasourcestretch6.2.16~dfsg-3+deb9u3DLA-2401-1
sympasourcebuster6.2.40~dfsg-1+deb10u1DSA-4818-1
sympasource(unstable)6.2.40~dfsg-7971904

Notes

Debian specific issue where sympa_newaliases-wrapper had loose permissions
(already suid root and word-executable) allowing to gain root privileges
without first to escalate to sympa user.
https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1

Search for package or bug name: Reporting problems