[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#907899: marked as done (stretch-pu: package mailman/1:2.1.23-1+deb9u4)

Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #907899,
regarding stretch-pu: package mailman/1:2.1.23-1+deb9u4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
907899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907899
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

Mailman in stretch is affected by the minor issue CVE-2018-13796,
allowing to inject text in the "No such list" error response. See
https://bugs.launchpad.net/mailman/+bug/1780874 . This won't warrant a
DSA.

debian/changelog entry:

> mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
> 
>   * Non-maintainer upload.
>   * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
>     (Closes: #903674)
> 
>  -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 03 Sep 2018 22:00:38 +0200

and full debdiff attached against the 1:2.1.23-1+deb9u3 version.

The issue has been tested in a container instance with the hint given by
https://bugs.launchpad.net/mailman/+bug/1780874 .

Regards,
Salvatore

diff -Nru mailman-2.1.23/debian/changelog mailman-2.1.23/debian/changelog
--- mailman-2.1.23/debian/changelog	2018-07-14 23:26:09.000000000 +0200
+++ mailman-2.1.23/debian/changelog	2018-09-03 22:00:38.000000000 +0200
@@ -1,3 +1,11 @@
+mailman (1:2.1.23-1+deb9u4) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Arbitrary text injection vulnerability in Mailman CGIs (CVE-2018-13796)
+    (Closes: #903674)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 03 Sep 2018 22:00:38 +0200
+
 mailman (1:2.1.23-1+deb9u3) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch
--- mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch	1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.23/debian/patches/94_CVE-2018-13796.patch	2018-09-03 22:00:38.000000000 +0200
@@ -0,0 +1,49 @@
+Description: Arbitrary text injection vulnerability in Mailman CGIs
+Origin: upstream, https://bugs.launchpad.net/mailman/+bug/1780874/+attachment/5167324/+files/patch.txt
+Bug: https://bugs.launchpad.net/mailman/+bug/1780874
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-13796
+Bug-Debian: https://bugs.debian.org/903674
+Forwarded: not-needed
+Author: Mark Sapiro <mark@msapiro.net>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2018-07-25
+Applied-Upstream: 2.1.29
+
+=== modified file 'Mailman/Utils.py'
+--- a/Mailman/Utils.py	2018-07-11 06:52:22 +0000
++++ b/Mailman/Utils.py	2018-07-24 21:48:54 +0000
+@@ -280,17 +280,28 @@
+ def GetPathPieces(envar='PATH_INFO'):
+     path = os.environ.get(envar)
+     if path:
++        remote = os.environ.get('HTTP_FORWARDED_FOR',
++                 os.environ.get('HTTP_X_FORWARDED_FOR',
++                 os.environ.get('REMOTE_ADDR',
++                                'unidentified origin')))
+         if CRNLpat.search(path):
+             path = CRNLpat.split(path)[0]
+-            remote = os.environ.get('HTTP_FORWARDED_FOR',
+-                     os.environ.get('HTTP_X_FORWARDED_FOR',
+-                     os.environ.get('REMOTE_ADDR',
+-                                    'unidentified origin')))
+             syslog('error',
+                 'Warning: Possible malformed path attack domain=%s remote=%s',
+                    get_domain(),
+                    remote)
+-        return [p for p in path.split('/') if p]
++        # Check for listname injections that won't be websafed.
++        pieces = [p for p in path.split('/') if p]
++        # Get the longest listname or 20 if none.
++        if list_names():
++            longest = max([len(x) for x in list_names()])
++        else:
++            longest = 20
++        if pieces and len(pieces[0]) > longest:
++            syslog('mischief',
++               'Hostile listname: listname=%s: remote=%s', pieces[0], remote)
++            pieces[0] = pieces[0][:longest] + '...'
++        return pieces
+     return None
+ 
+ 
+
diff -Nru mailman-2.1.23/debian/patches/series mailman-2.1.23/debian/patches/series
--- mailman-2.1.23/debian/patches/series	2018-07-14 23:26:09.000000000 +0200
+++ mailman-2.1.23/debian/patches/series	2018-09-03 22:00:38.000000000 +0200
@@ -12,3 +12,4 @@
 91_utf8.patch
 92_CVE-2018-5950.patch
 93_CVE-2018-0618.patch
+94_CVE-2018-13796.patch

--- End Message ---
--- Begin Message --- 
Version: 9.6

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: