Headline
CVE-2020-26932: Restrict access to sympa_newaliases-wrapper (setuid root) to group sympa (!1) · Merge requests · Debian Sympa Team / sympa · GitLab
debian/sympa.postinst for the Debian Sympa package before 6.2.40~dfsg-7 uses mode 4755 for sympa_newaliases-wrapper, whereas the intended permissions are mode 4750 (for access by the sympa group)
Following https://security-tracker.debian.org/tracker/CVE-2020-10936 and upcoming issues from https://github.com/sympa-community/sympa/issues/943 , I suggest removing ‘other’ access to sympa_newaliases-wrapper which is setuid root, following upstream’s Makefile.
I plan to ship this shortly in a stretch (LTS) security update.
AFAICT with these new permissions the aliases are still generated correctly on list creation.
Related news
CVE-2020-10936: Le labo R&D a désormais son Github - SysDream
Sympa before 6.2.56 allows privilege escalation.