I've just uploaded version 1.2.4-1 of enemies-of-carlotta to unstable. It contains a fix for CVE-2006-5875 (and only that fix), a security problem involving badly quoted shell arguments. Please allow the new version to enter etch as soon as possible. I have attached the debdiff from the previous version (1.2.3-1), currently in etch. If there's anything I forgot to do to make this easier, please tell me.
diff -Nru /tmp/m0YNIVzyAI/enemies-of-carlotta-1.2.3/debian/changelog /tmp/WJGmpSGD2g/enemies-of-carlotta-1.2.4/debian/changelog
--- /tmp/m0YNIVzyAI/enemies-of-carlotta-1.2.3/debian/changelog 2006-12-13 15:51:48.000000000 +0200
+++ /tmp/WJGmpSGD2g/enemies-of-carlotta-1.2.4/debian/changelog 2006-12-13 15:51:48.000000000 +0200
@@ -1,3 +1,13 @@
+enemies-of-carlotta (1.2.4-1) unstable; urgency=high
+
+ * Security fix for CVE-2006-5875. There is no bug report for this, the
+ problem was reported privately to me by Antti-Juhani Kaijanaho.
+ * EoC did not correctly deal with SMTP level e-mail addresses that contain
+ shell meta characters. This has been fixed by running /usr/sbin/sendmail
+ via fork and exec, instead of os.popen.
+
+ -- Lars Wirzenius <liw@iki.fi> Sun, 9 Dec 2006 15:49:22 +0200
+
enemies-of-carlotta (1.2.3-1) unstable; urgency=low
* New upstream version:
diff -Nru /tmp/m0YNIVzyAI/enemies-of-carlotta-1.2.3/eoc.py /tmp/WJGmpSGD2g/enemies-of-carlotta-1.2.4/eoc.py
--- /tmp/m0YNIVzyAI/enemies-of-carlotta-1.2.3/eoc.py 2006-11-10 19:34:52.000000000 +0200
+++ /tmp/WJGmpSGD2g/enemies-of-carlotta-1.2.4/eoc.py 2006-12-13 15:30:02.000000000 +0200
@@ -4,7 +4,7 @@
address commands. See manual page for more information.
"""
-VERSION = "1.2.3"
+VERSION = "1.2.4"
PLUGIN_INTERFACE_VERSION = "1"
import getopt
@@ -80,6 +80,34 @@
def md5sum_as_hex(s):
return md5.new(s).hexdigest()
+
+def forkexec(argv, text):
+ """Run a command (given as argv array) and write text to its stdin"""
+ (r, w) = os.pipe()
+ pid = os.fork()
+ if pid == -1:
+ raise Exception("fork failed")
+ elif pid == 0:
+ os.dup2(r, 0)
+ os.close(r)
+ os.close(w)
+ fd = os.open("/dev/null", os.O_RDWR)
+ os.dup2(fd, 1)
+ os.dup2(fd, 2)
+ os.execvp(argv[0], argv)
+ sys.exit(1)
+ else:
+ os.close(r)
+ os.write(w, text)
+ os.close(w)
+ (pid2, exit) = os.waitpid(pid, 0)
+ if pid != pid2:
+ raise Exception("os.waitpid for %d returned for %d" % (pid, pid2))
+ if exit != 0:
+ raise Exception("subprocess failed, exit=0x%x" % exit)
+ return exit
+
+
environ = None
def set_environ(new_environ):
@@ -411,14 +439,8 @@
error("Error sending QMQP mail, mail probably not sent")
sys.exit(1)
else:
- recipients = string.join(recipients, " ")
- f = os.popen("%s -oi -f '%s' %s" %
- (self.sendmail,
- envelope_sender,
- recipients),
- "w")
- f.write(text)
- status = f.close()
+ status = forkexec([self.sendmail, "-oi", "-f",
+ envelope_sender] + recipients, text)
if status:
error("%s returned %s, mail sending probably failed" %
(self.sendmail, status))
diff -Nru /tmp/m0YNIVzyAI/enemies-of-carlotta-1.2.3/NEWS /tmp/WJGmpSGD2g/enemies-of-carlotta-1.2.4/NEWS
--- /tmp/m0YNIVzyAI/enemies-of-carlotta-1.2.3/NEWS 2006-11-10 19:34:52.000000000 +0200
+++ /tmp/WJGmpSGD2g/enemies-of-carlotta-1.2.4/NEWS 2006-12-13 15:30:02.000000000 +0200
@@ -1,5 +1,11 @@
NEWS file for Enemies of Carlotta, a mailing list manager
+Significant user-visible changes from version 1.2.3 to version 1.2.4:
+
+ * A fix to CVE-2006-5875, a security problem where EoC did not quote
+ shell command line arguments properly. Thanks to Antti-Juhani
+ Kaijanaho for finding the problem.
+
Significant user-visible changes from version 1.2.2 to version 1.2.3:
* When there is a problem with MIME header encodings, don't kill EoC,
Attachment:
signature.asc
Description: This is a digitally signed message part