tags 339095 -unreproducible tags 339095 +security patch thanks Hi, I've noticed that an issue I have fixed in Mailman in sid has been issued a CVE and that Mandrake has issued a security advisory over it. I haven't been able to reproduce the DoS part of the report, so I didn't treat it as a security issue up to now. It seems the DoS part happens only on lists that have digest members (this explains why I would have missed it). Attached is the same patch applied to the package in unstable; please issue a DSA as appropriate. -- Lionel
diff --recursive -uN mailman-2.1.5.pristine/debian/changelog mailman-2.1.5.security/debian/changelog
--- mailman-2.1.5.pristine/debian/changelog 2005-12-14 12:09:41.944679989 +0100
+++ mailman-2.1.5.security/debian/changelog 2005-12-14 12:14:12.163523006 +0100
@@ -1,3 +1,11 @@
+mailman (2.1.5-8sarge1) stable-security; urgency=low
+
+ * Don't fall apart if the filename of an attachment is an invalid UTF-8
+ string, which leads to a DoS attack (closes: #339095)
+ This is CVE-2005-3573
+
+ -- Lionel Elie Mamane <lmamane@debian.org> Wed, 14 Dec 2005 12:13:45 +0100
+
mailman (2.1.5-8) unstable; urgency=low
* Add Italian debconf translation (closes: #278562)
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/00list mailman-2.1.5.security/debian/patches/00list
--- mailman-2.1.5.pristine/debian/patches/00list 2005-12-14 12:09:41.717711648 +0100
+++ mailman-2.1.5.security/debian/patches/00list 2005-12-14 12:11:25.000304970 +0100
@@ -32,4 +32,5 @@
65_donot_add_empty_cc
66_donot_let_cache_html_pages
67_update_handle_old_versions
+70_invalid_utf8_dos
99_js_templates
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/70_invalid_utf8_dos.dpatch mailman-2.1.5.security/debian/patches/70_invalid_utf8_dos.dpatch
--- mailman-2.1.5.pristine/debian/patches/70_invalid_utf8_dos.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.5.security/debian/patches/70_invalid_utf8_dos.dpatch 2005-12-14 12:18:27.017561090 +0100
@@ -0,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_invalid_utf8_dos.dpatch by <lionel@mamane.lu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Avoid DOS if attachement filename is invalid Unicode string
+
+@DPATCH@
+diff -urNad mailman-2.1.5~/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
+--- mailman-2.1.5~/Mailman/Handlers/Scrubber.py 2003-12-01 02:43:18.000000000 +0100
++++ mailman-2.1.5/Mailman/Handlers/Scrubber.py 2005-11-13 15:29:26.585952860 +0100
+@@ -266,7 +266,10 @@
+ finally:
+ os.umask(omask)
+ desc = part.get('content-description', _('not available'))
+- filename = part.get_filename(_('not available'))
++ try:
++ filename = part.get_filename(_('not available'))
++ except UnicodeDecodeError:
++ filename = _('not available')
+ del part['content-type']
+ del part['content-transfer-encoding']
+ part.set_payload(_("""\
+@@ -356,7 +359,10 @@
+ # e.g. image/jpg (should be image/jpeg). For now we just store such
+ # things as application/octet-streams since that seems the safest.
+ ctype = msg.get_content_type()
+- fnext = os.path.splitext(msg.get_filename(''))[1]
++ try:
++ fnext = os.path.splitext(msg.get_filename(''))[1]
++ except UnicodeDecodeError:
++ fnext = ''
+ ext = guess_extension(ctype, fnext)
+ if not ext:
+ # We don't know what it is, so assume it's just a shapeless
+@@ -375,7 +381,10 @@
+ try:
+ # Now base the filename on what's in the attachment, uniquifying it if
+ # necessary.
+- filename = msg.get_filename()
++ try:
++ filename = msg.get_filename()
++ except UnicodeDecodeError:
++ filename = None
+ if not filename:
+ filebase = 'attachment'
+ else:
Attachment:
signature.asc
Description: Digital signature