[Pkg-mailman-hackers] Re: Bug#244181: CAN-2004-0182: DoSsable through message with an empty subject field

Matt Zimmerman mdz@debian.org
Mon, 19 Apr 2004 08:39:50 -0700


On Mon, Apr 19, 2004 at 01:59:25PM +0200, Siggy Brentrup wrote:

> If you choose not to upload -1woody9, please drop me a note that I can
> close #244181 by other means.

I will not be uploading a -1woody9 because this bug was fixed in -1woody8
(DSA 436-2).

> Looking into the diff of upstream 2.0.14 against our 2.0.11:
> 
>  - some 15 cgi.escape(s) calls are replaced by Utils.QuoteHyperChars(s)
>    which additionally escapes the double quote character; this may or
>    may not be security relevant.

If the resulting strings are used to substitute into HTML attribute values
enclosed in double quotes, then this would allow characters to be inserted
into the HTML instead.  However, since HTML metacharacters are already
escaped by cgi.escape, I don't see any immediate way to do harm.

> Summarizing: 2.0.14 is mostly a bugfix release, no new features have
> been introduced.

If you feel that any of these features justify an update for all woody
users, you can make an upload to proposed-updates.  Please do not upload a
2.0.14-* version, though, as this would interfere with future security
updates.  Instead, you would create a 2.0.14-1woody9 (or -2 if you didn't
use it already) and backport the changes you want.

-- 
 - mdz