[Pkg-mailman-hackers] Pkg-mailman commit - rev 768 - in trunk/debian: . patches

Thijs Kinkhorst thijs at moszumanska.debian.org
Mon Apr 6 15:50:10 UTC 2015 

Author: thijs
Date: 2015-04-06 15:50:09 +0000 (Mon, 06 Apr 2015)
New Revision: 768

Added:
   trunk/debian/patches/92_CVE-2015-2775.patch
Modified:
   trunk/debian/changelog
   trunk/debian/patches/series
Log:
Patch CVE-2015-2775 path traversal attack.


Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog	2014-10-07 19:21:08 UTC (rev 767)
+++ trunk/debian/changelog	2015-04-06 15:50:09 UTC (rev 768)
@@ -1,3 +1,13 @@
+mailman (1:2.1.18-2) unstable; urgency=high
+
+  * Fix security issue: path traversal through local_part.
+    Affects installations which use an Exim or Postfix transport
+    instead of fixed aliases; attacker needs to be able to place
+    files on the local filesystem.
+    (CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst <thijs at debian.org>  Mon, 06 Apr 2015 15:36:15 +0000
+
 mailman (1:2.1.18-1) unstable; urgency=medium
 
   * New upstream release.

Added: trunk/debian/patches/92_CVE-2015-2775.patch
===================================================================
--- trunk/debian/patches/92_CVE-2015-2775.patch	                        (rev 0)
+++ trunk/debian/patches/92_CVE-2015-2775.patch	2015-04-06 15:50:09 UTC (rev 768)
@@ -0,0 +1,34 @@
+From: Mark Sapiro <mark at msapiro.net>
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in	2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Defaults.py.in	2015-04-06 15:43:20.000000000 +0000
+@@ -138,7 +138,7 @@
+ 
+ # A Python regular expression character class which defines the characters
+ # allowed in list names.  Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class.  Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+ 
+ 
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py	2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Utils.py	2015-04-06 15:43:20.000000000 +0000
+@@ -99,6 +99,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)

Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	2014-10-07 19:21:08 UTC (rev 767)
+++ trunk/debian/patches/series	2015-04-06 15:50:09 UTC (rev 768)
@@ -10,3 +10,4 @@
 79_archiver_slash.patch
 90_gettext_errors.patch
 91_utf8.patch
+92_CVE-2015-2775.patch

More information about the Pkg-mailman-hackers mailing list