[Pkg-mailman-hackers] Pkg-mailman commit - rev 798 - in branches/jessie/debian: . patches
Thijs Kinkhorst
thijs at moszumanska.debian.org
Thu Sep 15 06:13:22 UTC 2016
Author: thijs
Date: 2016-09-15 06:13:10 +0000 (Thu, 15 Sep 2016)
New Revision: 798
Added:
branches/jessie/debian/patches/93_CVE-2016-6893.patch
Modified:
branches/jessie/debian/changelog
branches/jessie/debian/patches/series
Log:
jessie-security upload for CVE-2016-6893
Modified: branches/jessie/debian/changelog
===================================================================
--- branches/jessie/debian/changelog 2016-09-15 05:41:24 UTC (rev 797)
+++ branches/jessie/debian/changelog 2016-09-15 06:13:10 UTC (rev 798)
@@ -1,3 +1,10 @@
+mailman (1:2.1.18-2+deb8u1) jessie-security; urgency=high
+
+ * CVE-2016-6893: Fix CSRF vulnerability associated in the user options page
+ which could allow an attacker to obtain a user's password. (Closes: #835970)
+
+ -- Thijs Kinkhorst <thijs at debian.org> Thu, 15 Sep 2016 07:47:56 +0200
+
mailman (1:2.1.18-2) unstable; urgency=high
* Fix security issue: path traversal through local_part.
Added: branches/jessie/debian/patches/93_CVE-2016-6893.patch
===================================================================
--- branches/jessie/debian/patches/93_CVE-2016-6893.patch (rev 0)
+++ branches/jessie/debian/patches/93_CVE-2016-6893.patch 2016-09-15 06:13:10 UTC (rev 798)
@@ -0,0 +1,120 @@
+Description: CVE-2016-6893: CSRF protection needs to be extended to the user options page
+Author: Mark Sapiro <mark at msapiro.net>
+Last-Update: 2016-09-15
+
+diff -Nur mailman-2.1.18.orig/Mailman/Cgi/admindb.py mailman-2.1.18/Mailman/Cgi/admindb.py
+--- mailman-2.1.18.orig/Mailman/Cgi/admindb.py 2014-05-03 19:37:22.000000000 +0200
++++ mailman-2.1.18/Mailman/Cgi/admindb.py 2016-09-15 07:55:04.308506251 +0200
+@@ -39,6 +39,7 @@
+ from Mailman.Cgi import Auth
+ from Mailman.htmlformat import *
+ from Mailman.Logging.Syslog import syslog
++from Mailman.CSRFcheck import csrf_check
+
+ EMPTYSTRING = ''
+ NL = '\n'
+@@ -58,6 +59,9 @@
+ else:
+ ssort = SSENDER
+
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
++ mm_cfg.AuthListModerator)
++
+
+
+ def helds_by_skey(mlist, ssort=SSENDER):
+diff -Nur mailman-2.1.18.orig/Mailman/Cgi/edithtml.py mailman-2.1.18/Mailman/Cgi/edithtml.py
+--- mailman-2.1.18.orig/Mailman/Cgi/edithtml.py 2014-05-03 19:37:22.000000000 +0200
++++ mailman-2.1.18/Mailman/Cgi/edithtml.py 2016-09-15 07:55:04.308506251 +0200
+@@ -30,9 +30,12 @@
+ from Mailman.Cgi import Auth
+ from Mailman.Logging.Syslog import syslog
+ from Mailman import i18n
++from Mailman.CSRFcheck import csrf_check
+
+ _ = i18n._
+
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin)
++
+
+
+ def main():
+diff -Nur mailman-2.1.18.orig/Mailman/Cgi/options.py mailman-2.1.18/Mailman/Cgi/options.py
+--- mailman-2.1.18.orig/Mailman/Cgi/options.py 2014-05-03 19:37:22.000000000 +0200
++++ mailman-2.1.18/Mailman/Cgi/options.py 2016-09-15 07:55:04.308506251 +0200
+@@ -32,6 +32,7 @@
+ from Mailman import i18n
+ from Mailman.htmlformat import *
+ from Mailman.Logging.Syslog import syslog
++from Mailman.CSRFcheck import csrf_check
+
+ SLASH = '/'
+ SETLANGUAGE = -1
+@@ -46,6 +47,8 @@
+ True = 1
+ False = 0
+
++AUTH_CONTEXTS = (mm_cfg.AuthListAdmin, mm_cfg.AuthSiteAdmin,
++ mm_cfg.AuthListModerator, mm_cfg.AuthUser)
+
+
+ def main():
+diff -Nur mailman-2.1.18.orig/Mailman/htmlformat.py mailman-2.1.18/Mailman/htmlformat.py
+--- mailman-2.1.18.orig/Mailman/htmlformat.py 2016-09-15 07:54:30.000000000 +0200
++++ mailman-2.1.18/Mailman/htmlformat.py 2016-09-15 07:55:04.308506251 +0200
+@@ -406,13 +406,14 @@
+
+ class Form(Container):
+ def __init__(self, action='', method='POST', encoding=None,
+- mlist=None, contexts=None, *items):
++ mlist=None, contexts=None, user=None, *items):
+ apply(Container.__init__, (self,) + items)
+ self.action = action
+ self.method = method
+ self.encoding = encoding
+ self.mlist = mlist
+ self.contexts = contexts
++ self.user = user
+
+ def set_action(self, action):
+ self.action = action
+@@ -427,7 +428,7 @@
+ if self.mlist:
+ output = output + \
+ '<input type="hidden" name="csrf_token" value="%s">\n' \
+- % csrf_token(self.mlist, self.contexts)
++ % csrf_token(self.mlist, self.contexts, self.user)
+ output = output + Container.Format(self, indent+2)
+ output = '%s\n%s</FORM>\n' % (output, spaces)
+ return output
+diff -Nur mailman-2.1.18.orig/Mailman/HTMLFormatter.py mailman-2.1.18/Mailman/HTMLFormatter.py
+--- mailman-2.1.18.orig/Mailman/HTMLFormatter.py 2014-05-03 19:37:22.000000000 +0200
++++ mailman-2.1.18/Mailman/HTMLFormatter.py 2016-09-15 07:55:04.308506251 +0200
+@@ -28,6 +28,8 @@
+
+ from Mailman.i18n import _
+
++from Mailman.CSRFcheck import csrf_token
++
+
+ EMPTYSTRING = ''
+ BR = '<br>'
+@@ -314,12 +316,17 @@
+ container.AddItem("</center>")
+ return container
+
+- def FormatFormStart(self, name, extra=''):
++ def FormatFormStart(self, name, extra='',
++ mlist=None, contexts=None, user=None):
+ base_url = self.GetScriptURL(name)
+ if extra:
+ full_url = "%s/%s" % (base_url, extra)
+ else:
+ full_url = base_url
++ if mlist:
++ return ("""<form method="POST" action="%s">
++<input type="hidden" name="csrf_token" value="%s">"""
++ % (full_url, csrf_token(mlist, contexts, user)))
+ return ('<FORM Method=POST ACTION="%s">' % full_url)
+
+ def FormatArchiveAnchor(self):
Modified: branches/jessie/debian/patches/series
===================================================================
--- branches/jessie/debian/patches/series 2016-09-15 05:41:24 UTC (rev 797)
+++ branches/jessie/debian/patches/series 2016-09-15 06:13:10 UTC (rev 798)
@@ -11,3 +11,4 @@
90_gettext_errors.patch
91_utf8.patch
92_CVE-2015-2775.patch
+93_CVE-2016-6893.patch
More information about the Pkg-mailman-hackers
mailing list