Bug#782146: unblock: mailman/1:2.1.18-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#782146: unblock: mailman/1:2.1.18-2
From: Thijs Kinkhorst <thijs@debian.org>
Date: Wed, 08 Apr 2015 15:02:31 +0200
Message-id: <[🔎] 20150408130231.25398.97575.reportbug@tetraquark.soleus.nu>
Reply-to: Thijs Kinkhorst <thijs@debian.org>, 782146@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mailman.

The diff is a security fix for CVE-2015-2775.

unblock mailman/1:2.1.18-2


Thanks,
Thijs

diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog
--- mailman-2.1.18/debian/changelog	2014-07-10 18:01:59.000000000 +0000
+++ mailman-2.1.18/debian/changelog	2015-04-06 15:37:32.000000000 +0000
@@ -1,3 +1,13 @@
+mailman (1:2.1.18-2) unstable; urgency=high
+
+  * Fix security issue: path traversal through local_part.
+    Affects installations which use an Exim or Postfix transport
+    instead of fixed aliases; attacker needs to be able to place
+    files on the local filesystem.
+    (CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Mon, 06 Apr 2015 15:36:15 +0000
+
 mailman (1:2.1.18-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config
--- mailman-2.1.18/debian/config	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/config	2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
 #! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $
 # $Id: config 693 2011-10-08 15:30:38Z thijs $
 
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control
--- mailman-2.1.18/debian/control	2014-07-10 18:19:25.000000000 +0000
+++ mailman-2.1.18/debian/control	2015-04-06 15:30:32.000000000 +0000
@@ -4,7 +4,6 @@
 Maintainer: Mailman for Debian <pkg-mailman-hackers@lists.alioth.debian.org>
 Uploaders: Lionel Elie Mamane <lmamane@debian.org>,
  Thijs Kinkhorst <thijs@debian.org>,
- Thorsten Glaser <tg@mirbsd.de>,
  Hector Garcia <hector@debian.org>
 Build-Depends: debhelper (>= 7), autoconf, python-dev (>= 2.6.6-3~), gettext, python-dnspython
 Standards-Version: 3.9.5
diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch
--- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch	1970-01-01 00:00:00.000000000 +0000
+++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch	2015-04-06 15:44:18.000000000 +0000
@@ -0,0 +1,34 @@
+From: Mark Sapiro <mark@msapiro.net>
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in	2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Defaults.py.in	2015-04-06 15:43:20.000000000 +0000
+@@ -138,7 +138,7 @@
+ 
+ # A Python regular expression character class which defines the characters
+ # allowed in list names.  Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class.  Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+ 
+ 
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py	2014-05-03 17:37:22.000000000 +0000
++++ mailman-2.1.18/Mailman/Utils.py	2015-04-06 15:43:20.000000000 +0000
+@@ -99,6 +99,12 @@
+     #
+     # The former two are for 2.1alpha3 and beyond, while the latter two are
+     # for all earlier versions.
++    #
++    # But first ensure the list name doesn't contain a path traversal
++    # attack.
++    if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname)) > 0:
++        syslog('mischief', 'Hostile listname: %s', listname)
++        return False
+     basepath = Site.get_listpath(listname)
+     for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+         dbfile = os.path.join(basepath, 'config' + ext)
diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series
--- mailman-2.1.18/debian/patches/series	2014-07-10 17:59:41.000000000 +0000
+++ mailman-2.1.18/debian/patches/series	2015-04-06 15:36:11.000000000 +0000
@@ -10,3 +10,4 @@
 79_archiver_slash.patch
 90_gettext_errors.patch
 91_utf8.patch
+92_CVE-2015-2775.patch
diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst
--- mailman-2.1.18/debian/postinst	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postinst	2015-04-06 15:30:32.000000000 +0000
@@ -7,7 +7,7 @@
 # Other modifications 2004-2007 by other maintainers of the Debian package:
 #      Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ...
 #
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $
 # $Id: postinst 693 2011-10-08 15:30:38Z thijs $
 #
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/postrm mailman-2.1.18/debian/postrm
--- mailman-2.1.18/debian/postrm	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/postrm	2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
 #! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postrm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postrm $
 # $Id: postrm 600 2009-01-08 20:54:48Z thijs $
 
 #DEBHELPER#
diff -Nru mailman-2.1.18/debian/preinst.in mailman-2.1.18/debian/preinst.in
--- mailman-2.1.18/debian/preinst.in	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/preinst.in	2015-04-06 15:30:32.000000000 +0000
@@ -1,5 +1,5 @@
 #!/bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/preinst.in $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/preinst.in $
 # $Id: preinst.in 704 2012-03-18 13:14:40Z thijs $
 
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/prerm mailman-2.1.18/debian/prerm
--- mailman-2.1.18/debian/prerm	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/prerm	2015-04-06 15:30:32.000000000 +0000
@@ -3,7 +3,7 @@
 # prerm script for Debian python packages.
 # Written 1998 by Gregor Hoffleit <flight@debian.org>.
 #
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/prerm $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/prerm $
 # $Id: prerm 421 2006-10-08 12:50:00Z giskard-guest $
 
 if [ "$1" = "failed-upgrade" ] ; then
diff -Nru mailman-2.1.18/debian/templates mailman-2.1.18/debian/templates
--- mailman-2.1.18/debian/templates	2012-06-16 09:50:23.000000000 +0000
+++ mailman-2.1.18/debian/templates	2015-04-06 15:30:33.000000000 +0000
@@ -1,4 +1,4 @@
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/templates $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/templates $
 # $Id: templates 693 2011-10-08 15:30:38Z thijs $
 Template: mailman/site_languages
 Type: multiselect

Reply to:

Follow-Ups:
- Bug#782146: marked as done (unblock: mailman/1:2.1.18-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#782144: unblock: sysvinit/2.88dsf-59
Next by Date: Bug#782147: unblock: mediawiki/1:1.19.20+dfsg-2.3
Previous by thread: Bug#782144: marked as done (unblock: sysvinit/2.88dsf-59)
Next by thread: Bug#782146: marked as done (unblock: mailman/1:2.1.18-2)
Index(es):
- Date
- Thread