Re: Mailman DoS CVE-2005-3573, debbug #339095
On Wed, Dec 14, 2005 at 12:25:50PM +0100, Lionel Elie Mamane wrote:
> I've noticed that an issue I have fixed in Mailman in sid has been
> issued a CVE and that Mandrake has issued a security advisory over
> it.
The Mandrake security advisory also covers another DoS that's - again
- already fixed in unstable (in 1.2.5-10). Debian bug #326024 . The
problem is when the year in the date of the message gives an integer
overflow.
Cumulative patch for both issues attached.
--
Lionel
diff --recursive -uN mailman-2.1.5.pristine/debian/changelog mailman-2.1.5.security/debian/changelog
--- mailman-2.1.5.pristine/debian/changelog 2005-12-14 12:09:41.944679989 +0100
+++ mailman-2.1.5.security/debian/changelog 2005-12-14 15:24:12.252763977 +0100
@@ -1,3 +1,13 @@
+mailman (2.1.5-8sarge1) stable-security; urgency=high
+
+ * Don't fall apart if the filename of an attachment is an invalid UTF-8
+ string, which leads to a DoS attack (closes: #339095)
+ This is CVE-2005-3573
+ * Don't die on overflow in date handling, which could lead to a DoS
+ attack (closes: #326024)
+
+ -- Lionel Elie Mamane <lmamane@debian.org> Wed, 14 Dec 2005 15:24:12 +0100
+
mailman (2.1.5-8) unstable; urgency=low
* Add Italian debconf translation (closes: #278562)
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/00list mailman-2.1.5.security/debian/patches/00list
--- mailman-2.1.5.pristine/debian/patches/00list 2005-12-14 12:09:41.717711648 +0100
+++ mailman-2.1.5.security/debian/patches/00list 2005-12-14 15:21:24.139901102 +0100
@@ -32,4 +32,6 @@
65_donot_add_empty_cc
66_donot_let_cache_html_pages
67_update_handle_old_versions
+70_invalid_utf8_dos
+71_date_overflows.dpatch
99_js_templates
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/70_invalid_utf8_dos.dpatch mailman-2.1.5.security/debian/patches/70_invalid_utf8_dos.dpatch
--- mailman-2.1.5.pristine/debian/patches/70_invalid_utf8_dos.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.5.security/debian/patches/70_invalid_utf8_dos.dpatch 2005-12-14 12:18:27.017561090 +0100
@@ -0,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 70_invalid_utf8_dos.dpatch by <lionel@mamane.lu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Avoid DOS if attachement filename is invalid Unicode string
+
+@DPATCH@
+diff -urNad mailman-2.1.5~/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
+--- mailman-2.1.5~/Mailman/Handlers/Scrubber.py 2003-12-01 02:43:18.000000000 +0100
++++ mailman-2.1.5/Mailman/Handlers/Scrubber.py 2005-11-13 15:29:26.585952860 +0100
+@@ -266,7 +266,10 @@
+ finally:
+ os.umask(omask)
+ desc = part.get('content-description', _('not available'))
+- filename = part.get_filename(_('not available'))
++ try:
++ filename = part.get_filename(_('not available'))
++ except UnicodeDecodeError:
++ filename = _('not available')
+ del part['content-type']
+ del part['content-transfer-encoding']
+ part.set_payload(_("""\
+@@ -356,7 +359,10 @@
+ # e.g. image/jpg (should be image/jpeg). For now we just store such
+ # things as application/octet-streams since that seems the safest.
+ ctype = msg.get_content_type()
+- fnext = os.path.splitext(msg.get_filename(''))[1]
++ try:
++ fnext = os.path.splitext(msg.get_filename(''))[1]
++ except UnicodeDecodeError:
++ fnext = ''
+ ext = guess_extension(ctype, fnext)
+ if not ext:
+ # We don't know what it is, so assume it's just a shapeless
+@@ -375,7 +381,10 @@
+ try:
+ # Now base the filename on what's in the attachment, uniquifying it if
+ # necessary.
+- filename = msg.get_filename()
++ try:
++ filename = msg.get_filename()
++ except UnicodeDecodeError:
++ filename = None
+ if not filename:
+ filebase = 'attachment'
+ else:
diff --recursive -uN mailman-2.1.5.pristine/debian/patches/71_date_overflows.dpatch mailman-2.1.5.security/debian/patches/71_date_overflows.dpatch
--- mailman-2.1.5.pristine/debian/patches/71_date_overflows.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ mailman-2.1.5.security/debian/patches/71_date_overflows.dpatch 2005-12-14 15:19:51.722090951 +0100
@@ -0,0 +1,40 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 71_date_overflows.dpatch by <lionel@mamane.lu>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: React sensibly on integer overflow in date handling
+
+@DPATCH@
+diff -urNad mailman-2.1.5~/Mailman/Handlers/Scrubber.py mailman-2.1.5/Mailman/Handlers/Scrubber.py
+--- mailman-2.1.5~/Mailman/Handlers/Scrubber.py 2005-11-13 17:14:04.000000000 +0100
++++ mailman-2.1.5/Mailman/Handlers/Scrubber.py 2005-11-13 17:44:31.308551771 +0100
+@@ -113,7 +113,7 @@
+ def safe_strftime(fmt, floatsecs):
+ try:
+ return time.strftime(fmt, floatsecs)
+- except (TypeError, ValueError):
++ except (OverflowError, TypeError, ValueError):
+ return None
+
+
+@@ -142,7 +142,7 @@
+ }.get(parts[3], 0)
+ day = int(parts[4])
+ year = int(parts[6])
+- except (IndexError, ValueError):
++ except (OverflowError, IndexError, ValueError):
+ # Best we can do I think
+ month = day = year = 0
+ datedir = '%04d%02d%02d' % (year, month, day)
+diff -urNad mailman-2.1.5~/Mailman/Queue/ArchRunner.py mailman-2.1.5/Mailman/Queue/ArchRunner.py
+--- mailman-2.1.5~/Mailman/Queue/ArchRunner.py 2003-12-01 02:50:40.000000000 +0100
++++ mailman-2.1.5/Mailman/Queue/ArchRunner.py 2005-11-13 17:43:38.642854438 +0100
+@@ -49,7 +49,7 @@
+ elif abs(now - mktime_tz(tup)) > \
+ mm_cfg.ARCHIVER_ALLOWABLE_SANE_DATE_SKEW:
+ clobber = 1
+- except ValueError:
++ except (OverflowError, ValueError):
+ # The likely cause of this is that the year in the Date: field
+ # is horribly incorrect, e.g. (from SF bug # 571634):
+ # Date: Tue, 18 Jun 0102 05:12:09 +0500
Reply to: